Digi-ID™ Storage Types

[1] When a CSP is used in the ‘manufacture’ of the Public and Private Key Pair that is used when generating the Digi-ID™, then there is the option to use two Digi-ID™ Storage Methods:

The Export Storage type is where the Private Key can be exported from the storage device.

The Fused Storage type means that the Private Key cannot be exported from the storage device.

Digi-CA™ [2] offers both of these Types of Storage.

• Export Storage
Export Storage means that when the Public and Private Key Pairs are generated and then signed, the entire Digi-ID™ package that includes the Key Pairs and the Certificate can be exported from the original storage device as a PKCS#12. So the Digi-ID™ is not ‘fused’ into the device.







In the most common case where the Digi-ID™ is stored in the Certificate Store of the Desktop Profile for the user, there is a wizard for exporting the entire file so that it can be reinstalled elsewhere.









• Fused Storage
Fused Storage means that when the Public and Private Key Pairs are generated and then signed by the Certificate, the Private Key is ‘fused’ to the device used in its creation and can never be exported.



Fused User Protected Storage

In the case where the Digi-ID™ is stored in the Microsoft Internet Explorer Certificate Store of the Desktop Profile for the user, there is an option in the Digi-CA Sever™ system to offer further security levels by enabling the User Protected setting. Depending on the Certificate Policy, this can be offered to the end user as an option or it can be enforced. The security levels are:

• Low
• Medium
• High









The Low setting is the same as no User Protection and the check box remains unchecked. The Medium setting is where every time the Digi-ID™ is required by any application a simple pop-up dialog appears so that the user is notified and must accept the request to use the Digi-ID™ by clicking the OK button. And in the High setting, a pop-up dialog appears so that the user must enter a password before any request to use the Digi-ID™ will be permitted.

If a High User Protection is enforced by the Certificate Policy, or the user selects it, then the pop-up dialog will require them to enter a password to protect the Digi-ID™.

This final setting where the user must enter a password is referred to a two factor authentication [3], because the user must have a Digi-ID™ and know its password before they can use it. So something you have and something you know provides this Two Factor Authentication.