HiI was surfing the web minding my own business when I trippled over a forum where a guy states that "...There are two common 'types' of certificate policy defined today (level of assurance based and certificate use based)...".1. Could anyone explain the difference?2. Another question; is issuance policies and certificate policies the same thing?3. Anyone got a good example of a CP? Brians link in his great book didn't work (http://iase.disa.mil/pki/dod-cp-v90-final-9-feb-05-signed.pdf).4. Is it common to tie the CP to a certificate using OIDs in the Certificate Policies Extension? Any use having a CP if I don't tie the cert to it?ThanksLars

1. A CP based on the level of assurance will have multiple levels defined, for example, Low Assurance, Medium Assurance (Software), Medium Assurance (Hardware), High Assurance. These levels are defined by a number of factors including: How is the subject's identity verified? How is the private key stored and protected? What is the maximum lifetime of the certificate?A CP based on the certificate usage is generally defined by the application policy OIDs contained within the certificate and could cover such uses as signature or encryption or both, VPN/Remote Access, logon, email, document signing, etc.Keep in mind here that in both cases, it is up to the relying party or application to make the decision on which certificates to accept or reject based on the stated CP.2. In the real world, no, issuance policies and certificate policies are not the same thing. One of the things that should be included in a certificate policy is an issuance policy. Microsoft tends to use the terms issuance policies and certificate policies interchangeably in some of their documentation/UI but in reality they are not the same thing.3. The link in question is time sensitive as indicated by the date in the PDF file name. Currently the DoD CP is at v10.0 which you can find here - http://iase.disa.mil/policy-guidance/index.html#pki. Click the link titled DoD X.509 Certificate Policy v10.04. Yes, that is very common. Even if you don't do this, you should still develop a CP.Paul Adare CTO IdentIT Inc. ILM MVP