Cryptography Reference
In-Depth Information
Self-certification . In this scenario, the owner of the key pair generates the
key pair and certifies the public key themselves. This approach is certainly
simple. However, it might seem a strange option, since a public-key certificate
generated by a CA provides 'independent' assurance of purpose of a public
key, whereas self-certification requires relying parties to trust in the assurance
of purpose provided by the owner of the public key. However, if relying parties
trust the owner then this scenario may be justifiable. Examples of situations
where this might be the case are:
• the owner is a CA; it is not uncommon for CAs to self-certify their own
public-keys, which is an issue that we will discuss in a moment;
• all relying parties have an established relationship with the owner and hence
trust the owner's certification; for example, a small organisation using a
self-certified public key to encrypt content on an internal website.
REGISTRATION OF PUBLIC KEYS
If either trusted third-party generation or combined generation of a public-
key pair is undertaken then the owner of the public-key pair must engage in
a registration process with the CA before a public-key certificate can be issued.
This is when the owner presents their credentials to the CA for checking. These
credentials not only provide a means of authenticating the owner, but also
provide information that will be included in some of the fields of the public-key
certificate. Registration is arguably the most vital stage in the process of generating
a public-key certificate. It is also a process that varies greatly between different
applications.
It is worth re-emphasising that the requirements for a registration process are
not unique to public keys. It is also extremely important that a symmetric key is
issued to the correct entities and that associated information (such as intended
purpose of the key, expiry date and usage restrictions) is linked by some means
to the key value. However, as we argued in Section 5.1.1 and Section 10.1.3,
'registration' of symmetric keys tends to be implicitly provided by the supporting
key management system. It is important that registration is explicit for public
keys, particularly in the case of combined generation.
In many application environments a separate entity known as a Registration
Authority (RA) performs this operation. The roles of RA and CA can be separated
for several reasons:
• Registration involves a distinct set of procedures that generally require an
amount of human intervention, whereas certificate creation and issuance can
be automated.
• Checking the credentials of a public-key certificate applicant is often the most
complex part of the certificate creation process. Centralised checking of cre-
dentials represents a likely major bottleneck in the process, particularly for large
organisations. There is thus a strong argument for distributing the registration
activities across a number of local RAs, which perform the checking and then
 
Search WWH ::




Custom Search