none
What is the role of a Policy CA RRS feed

  • Question

  • Hello All

    Can someone please help me with the following question please (thanks in advance)

    I read the following (from another post on this forum regarding Policy CAs)

    ---------------------

    The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI, the processes that validate the identity of certificate holders, and the processes that enforce the procedures that manage certificates. A policy CA issues certificates only to other CAs. The CAs that receive these certificates must uphold and enforce the policies that the policy CA defined.

    It is not mandatory to use policy CAs unless different divisions, sectors, or locations of your organization require different issuance policies and procedures. However, if your organization requires different issuance policies and procedures, you must add policy CAs to the hierarchy to define each unique policy. For example, an organization can implement one policy CA for all certificates that it issues internally to employees and another policy CA for all certificates that it issues to non-employees.

    ---------------------

    Now the statement above

    The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI

    To me that sounds like the CPS?

    My understanding is the CPS is simply a  document (normally a text file) which can be access via a URL (e.g. HTTP) in the same manner as a CRL. If that is the case is the location of the CPS detailed in a known extension like the CPD extension?

    Also
    How do you 'enforce' the Policy as detailed by the Policy CA, for example

    Lets say we have three level PKI, Root > Policy CA (only issued cert to issuing CA) > Issuing CA

    Now as far as I am aware with an Enterprise AD joined CA (issuing CA) requesting and obtaining certificates is controlled by Templates and these Templates are controlled by Security ACL (AD security) detailing who can Read, Enroll, Auto-Enroll for a certificate (e.g. WEB Server) based on these templates.

    If the above is correct where does the Policy CA come in, in as much as 'enforcing a given policy' for example lets say the Policy CA states any certs issued by me to Issuing CA's these Issuing CA can only allow the WEB Server template. What is to stop an Admin giving Read, and Enroll permissions for the Code Signing template, and thereby issuing Code Signing certs from the Issuing CA.

     Are the Policies setup on the Policy CA (I assume you somehow setup Policies hence the name?) related to EKU, for example when the Policy CA issues a CA Cert  (basic constraints) to the Issuing CA, does the Policy CA set certain EKU (which I understand are known OIDs) in the CA cert it issues to the Issuing CA, some how preventing the Issuing CA from issuing a Code Signing Cert for example?

    Any advice most welcome as I would really like to understand the machanics of the above

    Thanks All in advance

    AAnotherUser__


    AAnotherUser__

    Tuesday, October 14, 2014 3:49 PM

Answers

  • > To me that sounds like the CPS?

    exactly.

    > If that is the case is the location of the CPS detailed in a known extension like the CPD extension?

    yes, it is called Certificate Policies extension. Go to https://www.verisign.com or https://www.digicert.com, THOUSANDS OF THEM!!!111oneone and examine their certificates in the Details tab. There you will find a Certificate Policies extension, that will include policy OID (mandatory) and a combination of User Notice and/or CPS location url. Windows certificate GUI control fetches this extension and active Issuer Statement button in General tab. If the certificate contains only User Notice, a small dialog with User Notice will appear. If there is an URL, you will be redirected to the URL referenced in the Certificate Policies extension.

    > If the above is correct where does the Policy CA come in, in as much as 'enforcing a given policy' for example lets say the Policy CA states any certs issued by me to Issuing CA's these Issuing CA can only allow the WEB Server template.

    this assumption is incorrect. CPS does not restrict on certificate types allowed to you. CPS defines the procedure which is used to issue certificates to you. For example, authentication (user name and password combination, hardware tools, biometric or even face-to-face meetings) procedure, criteria list you should pass in order to get the certificate, your and CA (relying parties) liability, responsibility and certificate usage rules. Certificate is not your property, it is a property of the issuing CA

    Consider a certificate like a personal passport (ID card). Passport is not your property, it is a property of the issuing organization (state organization). Before getting the passport, you are submitting documents that prove your personality (entity). If you are supplying birth passport it is a sort of initial enrollment, if you submit existing passport -- it is re-enrollment (everything like in certificates). You are signing an agreement between you and state. This agreement is a CPS, it defines the passport issuance terms (validity, re-enrollment procedures, etc.) and usage policies. You shall not give your certitificate to 3rd parties (except the ones allowed by a government). You shall notify issuing organization if you lost the passport, or it was lost. You can continue these parallels (between your passport or person ID card with digital certificates).

    Regarding technical enforcement. Policy CA can define multiple policies. All of them are listed in the Policy CA certificate itself. All certificates issued below (unlimited levels down), all certificates must belong to any of the mentioned policy. RFC5280 defines the certificate policy OID constraint validation. If constraint is violated, certificate chaining engine will report an error. If Policy CA defines policy with OId=1.1.1 and some certificate below is issued under policy 1.2.1 -- the certificate will become invalid, because of constraint violation.

    Since it is bare measure, an owner of Policy CA should perform regular audits of its members to verify whether the policies are followed. Policy CA may stop relationships with child CA (by revoking child CA certificate) if policy violations are found during audit.

    > some how preventing the Issuing CA from issuing a Code Signing Cert for example

    it is possible, but not mandatory. Policy CA certificate may define only particular EKUs allowed below. It can be done via specific EKU in the policy CA certificate, application policy constraints, or extended properties.

    > I would really like to understand the machanics of the above

    you are going to be a PKI expert!

    Ok, I wrote a ton of words, but the reality is not that bright. Policies are violated, constraints are not followed. Eventually, who cares? Comodo has enough strict CPS, but constantly issues legitimate certificates to unknown persons, because someone calls to Comodo and says "Hello, I'm from Google, please, send me few certs" and they send. Many years ago, VeriSign failed in the same way. Who said that EKU extension is strictly followed? Examine the certificate at https://login.live.com. Intermediate CA is not eligigle to issue end entity certificates for other purposes (EKU) than the ones listed in its own certificate. REALLY? But who cares? IE doesn't care. Policy constraints are violated? Who cares if nobody will notice that (I didn't see the app that would complain so loud). But all this doesn't matter that you can do the same way. You still need to follow all rules, recomendations, best practices even if they are not mandatory. It is a part of your PKI's success.


    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    • Marked as answer by AAnotherUser Wednesday, October 15, 2014 5:10 AM
    Tuesday, October 14, 2014 7:08 PM

All replies

  • > To me that sounds like the CPS?

    exactly.

    > If that is the case is the location of the CPS detailed in a known extension like the CPD extension?

    yes, it is called Certificate Policies extension. Go to https://www.verisign.com or https://www.digicert.com, THOUSANDS OF THEM!!!111oneone and examine their certificates in the Details tab. There you will find a Certificate Policies extension, that will include policy OID (mandatory) and a combination of User Notice and/or CPS location url. Windows certificate GUI control fetches this extension and active Issuer Statement button in General tab. If the certificate contains only User Notice, a small dialog with User Notice will appear. If there is an URL, you will be redirected to the URL referenced in the Certificate Policies extension.

    > If the above is correct where does the Policy CA come in, in as much as 'enforcing a given policy' for example lets say the Policy CA states any certs issued by me to Issuing CA's these Issuing CA can only allow the WEB Server template.

    this assumption is incorrect. CPS does not restrict on certificate types allowed to you. CPS defines the procedure which is used to issue certificates to you. For example, authentication (user name and password combination, hardware tools, biometric or even face-to-face meetings) procedure, criteria list you should pass in order to get the certificate, your and CA (relying parties) liability, responsibility and certificate usage rules. Certificate is not your property, it is a property of the issuing CA

    Consider a certificate like a personal passport (ID card). Passport is not your property, it is a property of the issuing organization (state organization). Before getting the passport, you are submitting documents that prove your personality (entity). If you are supplying birth passport it is a sort of initial enrollment, if you submit existing passport -- it is re-enrollment (everything like in certificates). You are signing an agreement between you and state. This agreement is a CPS, it defines the passport issuance terms (validity, re-enrollment procedures, etc.) and usage policies. You shall not give your certitificate to 3rd parties (except the ones allowed by a government). You shall notify issuing organization if you lost the passport, or it was lost. You can continue these parallels (between your passport or person ID card with digital certificates).

    Regarding technical enforcement. Policy CA can define multiple policies. All of them are listed in the Policy CA certificate itself. All certificates issued below (unlimited levels down), all certificates must belong to any of the mentioned policy. RFC5280 defines the certificate policy OID constraint validation. If constraint is violated, certificate chaining engine will report an error. If Policy CA defines policy with OId=1.1.1 and some certificate below is issued under policy 1.2.1 -- the certificate will become invalid, because of constraint violation.

    Since it is bare measure, an owner of Policy CA should perform regular audits of its members to verify whether the policies are followed. Policy CA may stop relationships with child CA (by revoking child CA certificate) if policy violations are found during audit.

    > some how preventing the Issuing CA from issuing a Code Signing Cert for example

    it is possible, but not mandatory. Policy CA certificate may define only particular EKUs allowed below. It can be done via specific EKU in the policy CA certificate, application policy constraints, or extended properties.

    > I would really like to understand the machanics of the above

    you are going to be a PKI expert!

    Ok, I wrote a ton of words, but the reality is not that bright. Policies are violated, constraints are not followed. Eventually, who cares? Comodo has enough strict CPS, but constantly issues legitimate certificates to unknown persons, because someone calls to Comodo and says "Hello, I'm from Google, please, send me few certs" and they send. Many years ago, VeriSign failed in the same way. Who said that EKU extension is strictly followed? Examine the certificate at https://login.live.com. Intermediate CA is not eligigle to issue end entity certificates for other purposes (EKU) than the ones listed in its own certificate. REALLY? But who cares? IE doesn't care. Policy constraints are violated? Who cares if nobody will notice that (I didn't see the app that would complain so loud). But all this doesn't matter that you can do the same way. You still need to follow all rules, recomendations, best practices even if they are not mandatory. It is a part of your PKI's success.


    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    • Marked as answer by AAnotherUser Wednesday, October 15, 2014 5:10 AM
    Tuesday, October 14, 2014 7:08 PM
  • Thank you once again for a very detailed reply Vadims :)

    AAnotherUser__


    AAnotherUser__

    Tuesday, October 14, 2014 9:00 PM