Trust Policy (TP) modules implement policies defined by Certificate Authorities (CAs) and institutions. Policies define the level of trust required before certain actions can be performed. Three basic categories or actions exist for all certificate-based trust domains:

• Actions on certificates
• Actions on Certificate Revocation Lists (CRLs)
• Domain-specific actions (such as issuing a check or writing to a file).

The generic operations defined in the z/OS Open Cryptographic Services Facility Service Provider Module Developer’s Guide and Reference should be supported by every TP module. Each module may choose to implement the subset of these operations that are required for its policy. When a TP function has determined the trustworthiness of performing an action, the TP function may invoke functions in the Certificate Library (CL) and Data Storage Library (DL) modules to carry out the mechanics of the approved action.