For this example let us presume that the business has stipulated that users must use digital certificates to authenticate to their application. One of the main functions of a CA is to verify the identity of the entity requesting a new certificate. If how this verification occurs is not covered in a security policy and the CA issues certificates to whoever requests them there is a risk that a rogue employee will obtain a certificate. Also a PKI is based on a trust model. How will the business have confidence in the identity of the entity presenting the certificate when it becomes wildly known that there is no proper validation process in place to verify the identity of the certificate owner? I know that the application has to be configured to accept the certificate but the rogue employee is already half way there by obtaining a client side certificate.
Another example of how a lack of a PKI policy can be a disservice to your organisation is where a service owner requires a user or an application to present a Client Side digital certificate to authenticate to their service. We will use the certificate example above. In most scenarios an application will make three basic checks before authenticating the end user or service. It will check that the certificate has not expired, it will check that the common name (CN) is allowed to authenticate, and it will check the identity of the CN by verifying it has an entry for the issuer CN in its trust store. You might have applications that can check more fields but the example I have given you is considered the bare minimum. For this example let us presume that the application that is being configured to use Client Side certificates for authentication is not controlled by security policy. Let us say for example the developer leaves out the check for the CN of the user presenting the certificate. It only checks that the certificate has not expired and that it is issued by a trusted CA. The end result of this would be that any certificate (with the right key usages) that has been signed by My Root CA can authenticate to this service. This would give the business a false sense of security in relation to who can access this service. You could argue that how an application is configured to authenticate certificates should be part of an application security checklist and if so this checklist should be at least referenced in the PKI security policy.
Other things that should be considered in your security policy would be minimum key length, key usages, enhanced key usages etc. This is by no means complete as the main aim of this blog is to demonstrate the importance of having a PKI security policy so that you can provide assurance to the business that the services that the PKI is supposed to secure does just that.
I hope you found this blog interesting. As this is my very first time writing a blog for anything I would be grateful for any feedback that will help me make my next one better. Thank you for reading this far.