Non-profit, member-based IT support for research & educational institutions

CREN Strategic and Practical FAQ – Users Issues

Knowing Your People – Validating Users and User Management of Certificates

Draft 1.3. November 29, 2001

1. What is the role of my campus directory in issuing certificates?

Fundamental to the trust of certificate authorities is the trust that a CA only issues certificates to validated users. Most campuses keep track of or "know their people" by virtue of databases, repositories or directories. Many campuses have the model in which the bursar’s office keeps track of students and the human resources org keeps track of faculty and staff.

Before issuing a certificate to someone, the registration authority component of a certificate authority must attest to the right of an individual or an entity to be issued a certificate. This is why "knowing your people" is so important. For this pilot, you can choose to set up a less automated system of validating users. Long term, more automated systems will be desirable. Building on the systems already in place should be very doable.

2. What are some scenarios that I might consider in authenticating my users?

To get started using certificates in the PKI-Lite or rudimentary level of assurance (LOA) the PKI-Lite policy recommends using established campus practices for issuing campus ID cards. This often relies on picture identification, birth certificates, and the ilk.

This might well be a face to face request on campus, or a series of interactions, including the US mail system during the admission and acceptance process. Once a user is validated, the information that the user has been validated becomes part of the campus database or directory.

Then the registration authority – might be the bursar or the human resource group – could authorize information from that directory for approval for issuing certificates to that user. This information would be the source of the authorization that a user would use to request a certificate. If a user requests a certificate from their laptop computer, the digital certificate would then be sent to that computer and stored on the hard drive of the computer.

If the laptop were to be stolen, the PIN or passphrase must be known to use the certificate.

3. Do I connect my campus directory or database to my CA system via a network connection?

For issuing certificates, the campus CA will need to know where your directory is located both physically and on the network. The particular system that your directory is running on is not generally important. What is more important is how the systems are connected.

Some changes may be needed to your campus directory or database for it to link to the certificate authority software. The exact questions that need to be answered to do this is an area where collecting data from the pilots as to how they do it will be useful.

4. Where do users store and secure their private key and digital certificate once the certificate has been issued to users? This is a very basic question, as the digital certificate needs to be available for use, wherever they are? Is this the famous "mobility" question?

Yes, this is the famous "mobility" question. But solutions are on the horizon, including some that are similar to the decoder ring, that most of us have been fantasizing about for some time. How do users "carry" their digital certificates? Some of the currently available options include carrying it on a USB device storage like the iRing that users can carry on their key rings, carrying it on a smart card, on a mini-CD or hard disk storage on laptops, and handhelds.

5. What are the pros and cons of using these devices for carrying digital certificates? What about models using a variety of these approaches?

Most technology solutions consist of mixed models, depending on context and the users’ lifestyle, resources, and needs. Some of the more common approaches to carrying one’s certificate follow: The PKI Lab at Dartmouth is investigating the mobility choices and strategies, so hopefully we will know more soon in this area

5.1 Hard drive storage on laptop or handheld

When the user is issued a digital certificate they also choose a PIN or a password. This password is used for the user to get access to his/her digital certificate. An advantage to this method is that no extra hardware is necessary and users can implement on their own mobile devices. Also, the use of a PIN or password is familiar to users.

The primary disadvantage to this approach is that users must have their own personal device with the digital certificate physically with them. Also, we always have the challenge of poorly chosen and managed personal passwords.

5.2 CD ROM storage

Although CD storage does not provide any real extra security, it does ensure that what has been written to the media is not changed. With CD storage, the user also needs to know the password or PIN but the digital certificate would be issued once and then transported by the user via the CD to which it was written. Advantages to this method are that there is always an untouched copy of the private key available. One disadvantage is that the user may require a little more education on how to locate and use their certificate from the CD. Note that the mini-cd rom would be as small and easy to carry as a smart card.

5.3 Smart Card storage

Smart cards are already in use at some institutions and are a logical choice to store a certificate for some applications. The smart cards —as is well known— have small chips on which data such as the private key/digital certificate can be stored. There are several advantages to this type of storage. It is possible to leverage existing applications and the smart card is easy to carry for users.

There are a few disadvantages, however. Finding staff who are support smart cards may be an additional burden. And if a user loses or damages a smart card, a new card and keys must be issued. Also laptop or desktop systems will need card readers to make the cards usable if the users want to have access to their certificate for signed email from their own computer.

An interesting additional benefit of smart cards is that the user’s picture could also be on the card. The user’s picture could also be added to the card for better identification.

5.4 USB devices

USB devices hold promise as storage locations for digital certificates. USB devices can be quite small and portable, available in interesting formats, such as attachments for key rings, rings, and necklace pendants. USB devices share characteristics of smart cards in their level of security and have the advantage that most newer computers come equipped with a USB port. Unfortunately, USB ports are not usually conveniently located for regular docking and undocking for USB devices that plug directly into the port.

Some administrators believe that the wear and tear on a computer’s USB port can be a disadvantage to this technology as well, however; others recommend the purchase of a USB extension cable to make the connection point more easily accessed.

Other disadvantages of this technology include the training of staff to support this type of storage.

6. So the answer is…. Watch this space and particularly the work at the PKI lab at Dartmouth and the pilot implementations. The second half of the answer is to "Keep it Simple." Starting with what users already have for a PKI-Lite implementation is a good way to go, unless other forces or opportunities suggest experimentation with these other choices.

Please send comments/suggestions to