3.2.1.4.2.1.4.5 CA Policy Algorithm

The CA SHOULD use Config_CA_Policy_Algorithm_Implementation data to obtain the CA policy algorithm. The policy algorithm MUST determine if the certificate should be issued, set to pending, or denied, using the following processing rules:

1. If the value of the Config_CA_Requests_Disposition datum has 0x00000100 (REQDISP_PENDINGFIRST) bit set, set the request to pending.

2. Else, if the value of the Config_CA_Requests_Disposition datum equals 0x00000001 (REQDISP_ISSUE), issue the certificate

3. Else, if the value of the Config_CA_Requests_Disposition datum equals 0x00000002 (REQDISP_DENY), deny the request.

4. Else, set the request to pending.

In the Request table row for the current certificate request, the CA MUST set the following values to the values that are returned from the policy algorithm:

• Request_Disposition: If the policy algorithm resulted in the certificate being issued, the CA MUST set the value to "certificate issued". If the policy algorithm resulted in the certificate being pended, the CA MUST set the value to "request pending". If the policy algorithm encountered an error, the CA MUST set the value to "request failed".

• Request_Disposition_Message: The CA SHOULD populate this element with additional information that the licensee considers informative to a human.<78>

Certificates constructed by the policy algorithm MUST satisfy all the processing rules specified in section 3.2.1.4.2.1.

The CA SHOULD store some description of the policy algorithm in the Config_CA_Policy_Description data of the Abstract Data Model that can be requested by clients as described in section 3.2.1.4.3.2.5.