3

In preparing for the CISSP exam, the course material seems to emphasize a distinct role between a Certificate Authority and a Registration Authority. As per the study guide description:

Registration authorities (RAs) assist CAs with the burden of verifying users' identities prior to issuing digital certificates. They do not directly issue certificates themselves, but they play an important role in the certification process, allowing CAs to remotely validate user identities.

Is this all an internal functional process/role that customers don't really see? If I go to CA vendor "Widget Certs, Inc" and submit the CSR via the web site, it seems like this all gets processed by a singular entity.

To make things more confusing... the course material later states:

When you want to obtain a digital certificate, you must first prove your identity to the CA in some manner; this process is called enrollment.

Mike B
  • 3,336
  • 4
  • 29
  • 39

2 Answers2

4

This process of enrolment is made confusing unintentionally.

In many cases the RA and CA are the same entity. An easy way to see this is with common SSL/TLS certificates. Godaddy, Comodo, and others will offer a EV SSL (Extended Validation SSL) Certificate. The corporation who offers the certificate, validates the end user's information as well as actually issuing them a certificate.

To create a full chain of trust, the RA and CA should be separate entities. In a system like ICAO's PKI for ePassports, this system is much more evident. There is a document signing certificate (DSC), a country signing certificate (CSC), and sub certificates for each issuing office in the country (issuer security certificates or ISCs). It's not very evident when inspecting the raw certificates in ICAO's PKI, but some countries do seem to follow this full model.

The immediate benefit of this "full" model is that a revocation list can target a specific issuing office's certificates, rather then one for the country.

You can read more about the PKI structure ICAO employs below:

https://en.wikipedia.org/wiki/International_Civil_Aviation_Organization_Public_Key_Directory

http://www.icao.int/Security/FAL/PKD/Pages/default.aspx

dark_st3alth
  • 3,052
  • 8
  • 23
1

The RA handles the interaction with the end entity (aka subject of a certificate). This includes In a physical scenario checking IDs or reviewing paperwork. They present a validation statement to the CA who does the issuing.

This distinction is from various older PKI reference models but not very visible to users for the normal automated class 1 SSL cert use case. It is more common for electronic passport or personal identification cards in an enterprise setting to have this separation.

Some reasons are given here: https://www.rfc-editor.org/rfc/rfc4210#page-61

I would replace CA with CA/RA in your course material and understand RA as an organizational separation with nearly nontechnical impact. It is the part of an CA talking to the users, especially for enrollment.

Community
  • 1
eckes
  • 962
  • 8
  • 19