Introduction To Policy; About Policy - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

Introduction to Policy

Introduction to Policy
You can configure the main subsystems of CMS—the Certificate Manager,
Registration Manager, and Data Recovery Manager—to apply certain
organizational policies on an end-entity's certificate enrollment and management
requests before servicing them. For example, some of the policies you might want a
Certificate Manager to impose on these requests may include setting a minimum
and maximum limit on validity period and key length of certificates, setting
extensions based on the end entity's role within an organization, setting signing
algorithms, and so on.
This section provides an overview of policy in general. Topics include:
•

About Policy

• Policy Rules
• Policy Processor
About Policy
Policy refers to a set of rules that CMS uses to evaluate or verify an incoming
request from an end entity and to determine the outcome; the incoming requests
that are governed by policies include certificate issuance, certificate renewal,
certificate revocation, key archival, and key recovery requests. For example, in the
case of a certificate issuance request, the outcome would be the certificate content.
• A Certificate Manager's policy can include rules for evaluating certificate
formulation, signing, renewal, and revocation requests. For example, you can
configure a Certificate Manager's policy to impose restrictions on validity
length, key type, key length, subject name, extensions, and signing algorithm
during certificate issuance.
• A Registration Manager's policy can include rules for verifying incoming
certificate issuance, renewal, and revocation requests from end entities in order
to formulate the certificate content before forwarding the requests to a
Certificate Manager for signing. For example, you can configure a Registration
Manager's policy to impose restrictions on validity period, key length, subject
name, and extensions. In general, policies for Registration Manager are largely
the same as for Certificate Manager.
• A Data Recovery Manager's policy can include rules for verifying users'
encryption private key archival and recovery requests.
Using policies, you can configure CMS to perform one or more of the following
operations on each certificate issuance or management request it receives:
482 Netscape Certificate Management System Administrator's Guide • February 2003