If a key is going to be associated with a person, there must be a formal way to validate the association. In this video, you’ll learn about the best practices for registering and assigning encryption keys.
<< Previous Video: Public and Private KeysNext: Key Escrow >>
The role in your Public Key Infrastructure that ensures that you have the right people associated with the right certificates is called the Registration Authority. It’s this registration process that ensures that you have exactly the right people lined up with exactly the right certificate. You don’t want someone receiving a message from James signed by James and you find out later it was somebody who had James’ certificate.
It’s this registration process that is in place to ensure that you don’t have that type of fraud or any type of mix up with those certificates later on. This can be done very casually. You can call somebody on the phone. You can have somebody login with certain credentials. Or there may be many, many steps that someone has to go through to finally be registered properly in your Public Key Infrastructure.
To give you an example of one type a process in place for key registration, let’s look at the Federal Public Key Infrastructure Policy Authority. This is the X.509 certificate policy for the US Federal PKI Common Policy Framework. And there is the URL. And we have very, very detailed processes and procedures here in the United States. And this is a document that describes the processes and procedures around having a key associated with a person.
And if you start reading through this, there is some very, very interesting level of details about what’s involved. If you go to Section 220.127.116.11, The Authentication Of Human Subscribers, then you can see what is required. You may have to have your identity verified no more than 30 days before a certificate is issued. You may need agency approval– you will need agency approval. It may require in-person appearance. You have to have a verification of employment.
You have to have your government ID with you. It may also require biometric data. It may require verification of your credentials. You may need to bring in a credit card or utility bill of some kind. There is 1 or many of these that might be required based on the level of security associated with you and the certificate that you’re trying to get. So you can see just how important that key registration process is and how detailed you can really be to make sure that that certificate is matched up properly with that user.