Assuming that a CP, simplifying a lot, is “What must be met to manage the certificate life-cycle” and the certification practices statement (CPS) are the “how I do it to meet the CP”, it seems clear that each Certification Services Provider must have a CPS, but that the CPs could be cross-Certification Services Provider, at least a very specific CP with a very clear purpose (e.g. legal representative of a company), promoted by the government.
From my point of view, this is especially relevant in two cases:
- If the Certification Services Provider has a hierarchy with multiple subordinate or intermediate CAs, depending on the focus of the hierarchy, can be very interesting to define the entire CP cross hierarchy.
- Certificates of Spanish Law 11/2007. Profiles are defined with a great level of detail and too much information (looking for interoperability, I suppose) and we were on the verge of these profiles become CPs and providers do not have to create new CPs, with their OIDs, all identical, to comply with these profiles.
What do you think? Is there room to simplify the number of certificate policies? Do they have meaning independent certificate policies (transverse to) the Certification Services Provider?
To try to supplement this entry, I have discussed the topic at LinkedIn, discovering a heated group discussion (restricted) Electronic Signature Group.
Participated in the debate Laszlo Szentirmai – Policy administrator at NetLock Kft., first Hungarian Certification Authority issuing qualified certificates, Charles Moore – CEO and founder of VillageMall – and Vojtech Kment – ICT consultant, lawyer specialized in electronic document security and CEO of axonNet – the latter two very active members of the LinkedIn groups.
Hungary seems to have a similar situation, and more than spewing light on the subject, raises new questions, showing concern especially for the certificate policies not covered by the European Directive and national laws, such as SSL, for example.
Meanwhile, Charles is shown quite critical of which involves the electronic signature with comments like “One takes a simple zero cost process where no-one is disadvantaged, i.e even the poorest and least educated can place a X on a bit of paper, and we try and replace this with a system that no one understands, cost an absolute fortune” and simplifies the issue by arguing that, ultimately a PC is nothing more than an agreement, something with which I agree, but the problem is not what it is, but the high number to manage. I do not think that a simplification of nature reduces this problem.
Of course, Charles is not shown in favor of a PC government.
To Vojtech, the issue is more complex, he detailed the difficulties that a PC can have and which implies the high number.
Finally the debate ended focusing more on just what a CP is and how one shpuld develop it than if one should to minimize their number and whether it would be a development of CP’s from the Public Administration.
What do you think? Is there room to simplify the number of certificate policies? Do they have meaning independent certificate policies (transverse to) the Certification Services Providers?
And you know, if you liked this entry, or you think may be helpful to others, please share it via the buttons you’ll find below.