Introduction to Policy560 Netscape Certificate Management System Installation and Setup Guide • May 2002What Is Policy?Policy refers to a set of rules that Certificate Management System uses to evaluateor verify an incoming request from an end entity and to determine the outcome;the incoming requests that are governed by policies include certificate issuance,certificate renewal, certificate revocation, key archival, and key recovery requests.For example, in the case of a certificate issuance request, the outcome would be thecertificate content.• A Certificate Manager’s policy can include rules for evaluating certificateformulation, signing, renewal, and revocation requests. For example, you canconfigure a Certificate Manager’s policy to impose restrictions on validitylength, key type, key length, subject name, extensions, and signing algorithmduring certificate issuance.• A Registration Manager’s policy can include rules for verifying incomingcertificate issuance, renewal, and revocation requests from end entities in orderto formulate the certificate content before forwarding the requests to aCertificate Manager for signing. For example, you can configure a RegistrationManager’s policy to impose restrictions on validity period, key length, subjectname, and extensions. In general, policies for Registration Manager are largelythe same as for Certificate Manager.• A Data Recovery Manager’s policy can include rules for verifying users’encryption private key archival and recovery requests.Using policies, you can configure Certificate Management System to perform oneor more of the following operations on each certificate issuance or managementrequest it receives:• Screen the request for specific content, and modify, reject, or defer (for agentapproval) it accordingly. For example, the request might be checked for theinclusion of organizational constraints, such as key algorithm, key size,validity period, or a particular signing algorithm; if it did not meet therequirement, the subsystem would modify the request or return an error,depending on the severity of the problem.• Set common attributes, such as extensions for user and server certificaterequests.