Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
4. The public key, key use, parameters, validity assurance information, and assurance of<br />
possession are provided to the RA or CA along with a claimed identity. The RA or CA<br />
delegates the verification of the public key owner’s identity to another trusted process<br />
(e.g., an examination of the public key owner’s identity by the U.S. postal service when<br />
delivering registered mail). Upon receiving a request for certification, the RA or CA<br />
generates and sends unique, unpredictable information (e.g., an authenticator or<br />
cryptographic key) to the requestor using the trusted process (e.g., a courier). The trusted<br />
process verifies the identity of the requestor prior to delivery of the information provided<br />
by the RA or CA. The owner uses this information to prove that the trusted process<br />
succeeded, and the RA or CA delivers the certificate to the owner. The information<br />
should be destroyed by the key owner as specified in Section 8.3.4 upon receiving<br />
confirmation that the certificate has been successfully generated. (The RA or CA may<br />
maintain this information for auditing purposes, but should not accept further use of the<br />
unique identifier to prove identity.)<br />
In cases involving an RA, upon receipt of all information from the requesting entity (i.e., the<br />
owner of the new public key), the RA forwards the relevant information to a CA for certification.<br />
The RA and CA in combination shall perform any validation or other checks required for the<br />
algorithm with which the public key will be used (e.g., public key validation) prior to issuing a<br />
certificate. The CA should indicate the checks or validations that have been performed (e.g., in<br />
the certificate, or in the CA policy or practices statement). After generation, the certificate is<br />
distributed manually or electronically to the RA, the public key owner, or a certificate repository<br />
(i.e., a directory) in accordance with the CA’s certificate practices statement.<br />
8.1.5.1.1.3 <strong>General</strong> Distribution<br />
Public keys may be distributed to entities other than an RA or CA in several ways. Distribution<br />
methods include:<br />
1. Manual distribution of the public key itself by the owner of the public key (e.g., in a face<br />
to face transfer, or by a bonded courier); the mandatory assurances listed in Section<br />
8.1.5.1.1 shall be provided to the recipient prior to the use of the public key<br />
operationally.<br />
2. Manual (e.g., in a face to face transfer or by receipted mail) or electronic distribution of a<br />
public key certificate by the public key owner, the CA, or a certificate repository (i.e., a<br />
directory). The mandatory assurances listed in Section 8.1.5.1.1 that are not provided by<br />
the CA (e.g., public key validation) shall be provided to or performed by the receiver of<br />
the public key prior to the use of the key operationally.<br />
3. Electronic distribution of a public key (e.g., using a communication protocol with<br />
authentication and content integrity) in which the distributed public key is protected by a<br />
certified key pair owned by the entity distributing the public key. The mandatory<br />
assurances listed in Section 8.1.5.1.1 shall be provided to the receiving entity prior to the<br />
use of the public key operationally.<br />
8.1.5.1.2 Distribution of Ephemeral Public Keys<br />
When used, ephemeral public keys are distributed as part of a secure key agreement protocol.<br />
The key agreement process (i.e., the key agreement scheme + the protocol + key confirmation +<br />
any associated negotiation + local processing) should provide a recipient with the assurances<br />
97