A Certification Practice Statement (CPS) is a document that specifies the practices that a Certificate Authority (CA) employs to issue certificates on its public key infrastructure (PKI).
In general, a public key certificate – or simply a certificate – establishes a relationship between an entity's public key (either a person, an organization or, in the case of RPKI, a numbering resource) and a set of data that identifies said entity (names, telephone numbers, IP addresses or autonomous systems). This entity is usually known as the "subject" of the certificate.
A certificate "user" is another entity that needs to use the data and public key specified in a certificate. The certificate user trusts the veracity of the relationship described by the certificate. These certificates are most commonly used for verifying digital signatures.
A CPS is not, of itself, a contract, but it is of fundamental importance as it provides a baseline for auditing a Certificate Authority's management procedures.
A CPS must contain detailed information on:
Generally speaking, a Certificate Policy (CP) covers the same topics as a CPS but does so from a more abstract, less operational point of view. For example, in the case of physical access control, a CP may state that "Biometric fingerprint access control shall be implemented for all personnel".
On the other hand, a CPS contains strictly operational details such as, for example, which access control equipment will be installed or what algorithms will be used to protect a key. Continuing with the preceding example, the CPS must specify which biometric access control equipment provider will be used and how the personnel's fingerprints will be taken.
Because they are policy and minimum specification documents, a CP is often shared by various CAs and may therefore be important when seeking interoperability among different CAs. A CPS, however, is specific to one CA.
LACNIC is currently working on preparing the CPS for the RPKI Certificate Authority. This document is well advanced and a draft version is already available.
The community's trust in the certificates issued by LACNIC's RPKI Certificate Authority is essential for certificates to begin being used to validate the use of resources. This trust is largely related to the community's opinion on the aspects detailed in the CPS, which is why LACNIC encourages the community to provide their opinions, comments and general feedback on the document.
The draft version of the CPS is available at PDF
In addition, a mailbox has been created – firstname.lastname@example.org – where we invite the community as a whole to send their input regarding LACNIC's CPS for the RPKI.