Validations

x.509 and cryptographic standards make it impossible that two identical certificates can be issued from the same Digi-CA™. Every certificate is unique.

A person’s ‘proof of identity’ can be proven using various traditional methods. For example: private information that only that specific person could know; a letter from a notary, lawyer, accountant, employer or Peace Commissioner identifying that person; bank, passport, national ID card or insurance number; eye scan, finger print, biometrics; etc. Every person is unique.

The whole purpose of the certificate is to identify the specific person or device in the digital world. Once the unique identity is proven using traditional methods, then the unique certificate can be issued.

The process of mapping the unique certificate to the unique person or device is called the Validation Process. The Validation Process is based on the specific CP for the specific certificate and is set out when Digi-CA™ is first designed and installed.

The Digi-CA™ is the digital equivalent of an identification authority like an employee ID card, a passport office or a national identity card issuer. In all of the above cases, the identity of the end user is checked and an ID is issued to certify that the person is who they claim to be. In the case of the Digi-CA™, it issues the certificate to each end user after their ‘real world’ identity has been verified.

The process of issuing the certificate is similar to the steps used to issue an employee ID card, passport or national ID card.

• An organisation wants to clearly identify its employees to the ‘outside’ world.
  In this case, the users use email to communicate with other users outside their network. Because the company owns its own domain name, it only needs to restrict the Validations Process so that certificates are only issued to users with that specific domain name in their email address. Users simply fill in their name and email address and these are cross-checked against an email owner list. If the email address exists, the certificate is issued.
• An online service needs to restrict access to its services for fee paying members only.
  In this case, the users’ details and account details are already known. Because the company knows who has paid for the service, it only needs to restrict the Validations Process so that certificates are only issued to users with specific email addresses and account details. Users simple fill in their details and they are cross-checked against an email owner list. If the details are entered correctly, the certificate is issued.
• A Public Authority wants to identify users of its public services.
  Depending on the sensitivity of the data and the Data Protection Laws that must be followed, the Authority may need to issue the certificate pre-installed on smartcards and only give them to the end user when they turn up in person and present their ‘proof of identity’. The Authority must exercise its own procedures on what constitutes true ‘proof of identity’.
  In less stringent cases, certain Methods of Delivery or a combination of Methods may not require ‘proof of identity’.
• A legal document in electronic format needs two people to digitally sign it.
  If the lawyers acting on behalf of the clients send letters with some confidential information about the client (that only the lawyer and the client know) then this information can be used when the user enrolls on the web application form. If the details are entered correctly, the certificate is issued.
• A Service Provider wants to authenticate one hardware device to another central server device
  This is simply a case of matching one certificate Serial Number to the list pre-defined on the Digi-CA™ system. The certificates can be issued and only those devices containing the correct Serial Number will be authenticated to the central server.
• A medical organisation wants to provide patients, certified users and doctors with access to medical files
  As with the Public Authority, this may require a ‘proof of identity’ check. Another alternative would be to use a Method of Delivery where the user receives a Smartcard, for example, with the certificate pre-installed. Access to the medical files can occur on an as needed basis using a telephone identity check where details about the patient can be verified by telephone before activating the certificate and providing access to the records.
• Multiple entities want to exchange data using encryption that is limited to specific users.
  As described in the Methods of Delivery, the identity of these users can be simple (name, email, telephone and ID) or in high security environments, a higher security process of issuing the certificates will be used.

How an end entity certificate is validated is central to the security and legality of the certificate and the Digi-CA™. If the Validation Policy is weak or can be easily circumvented, then personal identity theft or impersonation is possible. In other words, there is no way to ‘tie’ the certificate to the user.