next up previous contents
Next: Routine Re-key Up: Initial Registration Previous: Authentication of organisation identity   Contents

Authentication of individual identity

Certificates issued by the CA bind a subject name to an identified entity that is in possession of the private key pertaining to that certificate. This binding will be authenticated by the CA or its assigned RAs. In case the entity is a natural person, the initial authentication will be based on suitable identification documents and appearance of the applicant before the CA or RA.

In case the entity to be certified is a machine or software component, the requester (a natural person) shall prove to the satisfaction of the CA and RA that the binding will be to the service or system defined in the subject and that the requester is adequately authorised.

For subscribers, the CA shall ensure that the applicants identity is verified in accordance with this CP/CPS. In addition, the CA and RA shall record the process followed for issuance of each certificate. This record is a paper form, that shall include:

as filled by the applicant, and as filled by the RA.

For authentication identification, the applicant must appear in-person before the RA or CA and show at least one of either a passport, a Dutch driving license, a European Identity Card, or by special permission of the CA by a photo-bearing ID from a trustworthy public organisation, capable fo being audited, and that can only be obtained by showing official government-issued identity papers. The RA or CA will meet the holder in-person and compare the photographs and will register and verify the number of the identity piece.

Specially designated Registration Authorities can implement alternative identity vetting mechanisms that are at least as secure as the method described above. These RAs shall be explicitly mentioned in the CA repository. In particular, the RA may use existing archived records to perform the validation of the applicant, if the information contained in these archives about the applicant has been collected in a way that meet or exceeds the requirements stated above, and if these records are validated frequently (but at least every three months). The original identity vetting procedures of this RA shall be documented as an appendix to this document, an Object Identifier shall be assigned to this appendix, and this object identifier added to the certificates validated by this RA. The appointment or discontinuation of such a RA will be announced to the peers of the DutchGrid medium-security Certification Authority.

The RA and CA will make sure that the subject name of the certificate is non-null, and compatible with the requirements in section 3.1. In case of a natural person, the subject name must be conforming to the full name shown of the identity piece.

The affiliation of application with the organisation mentioned in the request is performed by checking public databases maintained by such organisation, or by written statement by such organisation testifying said affiliation to the RA or CA, or by knowledge already held by the CA or RA.

Machines and object are authorised by contacting the natural person responsible for such machine or object. This responsible will be authorised in accordance with the stipulation made in this section.

Any information exchanged between the RA and the CA shall be either validated by strong cryptographic means, or by means that constitute valid legal evidence, or shall be verified by out-of-band methods in a phone conversation with firm positive identification by both parties (CA and RA) involved. The record form indicated above, duly countersigned by the RA, may be sent to the CA by either the RA or the applicant, by means that constitute valid legal evidence.

The certificate is send to the subscriber at the electronic mail address provided within or as part of the request. On request of the subscriber, the certificate may be delivered by other suitable means.

Since no private keys are generated by the CA, these need not be delivered to the subscriber.

next up previous contents
Next: Routine Re-key Up: Initial Registration Previous: Authentication of organisation identity   Contents
David Groep 2005-01-07