1.6 Applicability Statement

The Health Certificate Enrollment Protocol allows a client machine to obtain an X.509 certificate, as specified in [RFC3280], that represents its compliance to policy. Because the Health Certificate Enrollment Protocol relies on the client to make accurate reports of its current state, the protocol is not applicable by itself in environments where compliance of the client needs to be absolutely guaranteed. However, the Health Certificate Enrollment Protocol can<5> be used in such environments if supplemented by the use of hardware credentials or other suitable security mechanisms (for more information, see [TPM]) that can improve the reliability of the client reports.

Applicable uses of such an X.509 certificate include, but are not limited to, certificate-based Internet Protocol security (IPsec), as specified in [RFC2409]. In an IPsec scenario, network administrators can require clients to comply with the network security policies before accessing resources on the network. For example, administrators can configure IPsec policies to require a client to present a health certificate to the resource (as an indication of the client compliance with network security policies) before the client can have access to the resource.