Certificate Policies: Certificate policies define what certificates do. A CA can potentially issue a number of different types of certificate—say, one for email, one for e-commerce, and one for financial transactions.
The policy might indicate that it isn’t to be used for signing contracts or for purchasing equipment. Certificate policies affect how a certificate is issued and how it’s used.
A CA would have policies regarding the interoperability or certification. The organizations using the certificates of another CA site; the process of requiring interoperability is called cross certification.
The organizations using the certificate also have the right to decide which types of certificates are used and for what purpose.
This is voluntary process in that each organization involved can decide what and how to approve certificate use.
NOTE: According to the RFC, key usages may be marked as critical or noncritical. This distinction is largely to limit the CA.
The receiving organization can use this policy to determine whether the certificate has come from a legitimate source.
Think about it this way: A PKI certificate can be generated any number of ways using any number of servers. The policy indicates which certificates will be accepted in a given application.