Trying to understand how / if the CPS and Certificate Policies are enforced? If I define different CPS or Certificate Policies in a 2 or 3 tier hierarchy, are the practices and policies defined in any way technically enforces or it is only a "statement" that is suppose to be followed? Example. Although my Policy CA / Certificate Policy states that I will validate a users identity by means of drivers license before issuing a certificate, how technically is that enforced? What prevents a Certificate Manager from issuing that user a certificate without seeing his/her drivers license? Thanks, Paul

On Fri, 20 May 2011 15:50:58 +0000, PaulT15 wrote: Trying to understand how / if the CPS and?Certificate Policies are enforced? If I define different CPS or Certificate Policies in a 2 or 3 tier hierarchy, are the practices and policies defined in any way technically enforces or it is only a "statement" that is suppose to be followed? Example. Although my Policy CA / Certificate Policy states that I will validate a users identity by means of drivers license before issuing a certificate, how technically is that enforced? What prevents a Certificate Manager from issuing that user a certificate without seeing his/her drivers license? Out of the box, they are not enforced with any technical controls. That's why something like FIM CM is a good idea as it allows you to apply technical controls that support your policies and procedures. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Output: What people who talk backwards do with their cat.