Certification Authorities

Confidence in the authenticity of a public key is enhanced by the key being signed by a trustworthy certifier. Additional reassurance comes from having signatures from several keys, so that if one should be compromised, the remaining signatures still vouch for the authenticity of the key.

It is recommended that each institution create two or more PGP key pairs to be used only for the purpose of signing the public keys belonging to members of the institution, thereby vouching for those keys' identity. We deliberately leave unspecified the term ``institution''; we expand on the meaning of ``member'' below. Depending on circumstances, an institution might be an Oxbridge college, a university department, an entire university, or UKERNA as a whole. The vital requirement is that signatures made by a certification key on other keys be beyond reproach.

In practice, this means that the following criteria must be met:

• The keys must be large enough that there can be no suspicion that a cryptanalytical attack may be used to compromise them. This implies that the size must be at least 1024 bits.

• The passphrases protecting the private keys must each be known only to a single trustworthy person.

• To guard against loss of the certification keys or their passphrases, a copy of each key pair should be kept, serially encrypted under the public keys of all the other signatories. Alternatively, a master copy of the keys and a human-readable copy of the passphrases should be kept in a sealed package, itself held in a physically secure safe.

• The certification key must be used only on a single-user machine, probably dedicated to this purpose. A cheap portable microcomputer is easily adequate for this function and can be locked away when not in use. By having a dedicated machine and, especially, a single user machine, the risk of accidental compromise of the certification key is greatly reduced.

• Procedures must be in place so that applicants wishing to have their keys signed are required to provide proof of identity comparable with that, say, necessary for them to be able to borrow books from the institution's library. Applicants must also be required to demonstrate that they have control of the corresponding private key. If the key pair was generated by the institution, this will be straightforward to satisfy, otherwise a PGP-signed message would be adequate proof of ownership.

• An institution should have an obligation to sign any PGP public key presented for signature, as long as that key and its owner meet the requirements in the above paragraph. This requirement is to ensure that an institution cannot force its members to use only institution-generated keys if they want a trustworthy signature.

It is recommended, though not obligatory, that the only keys to be signed with a certification key be those belonging to members of the institution; those used by services provided by the institution; and the certification keys of sub-institutions. So, for instance, the Department of Experimental Theology at Neasden University would certify keys belonging to their staff and also the key used by Postmaster@expth.neasden.ac.uk; the departmental certification keys would themselves be signed by the university's certification keys. The university would be willing to sign the key of any member of the university as well as its departmental certification keys; its keys would themselves be signed by the master UKERNA keys, which would themselves be signed by other similar organizations. Some departments may be so small that they would not have certification keys; their members would rely on the university's certificates.

If a trustworthy certification heirarchy can be set up in this manner, we would expect PGP users to trust their department, university and UKERNA to act as introducers and, thereafter, keys signed by any of these would be accepted as genuine without the user being questioned by PGP. To verify the authenticity of a key supposedly belonging to a member of a different institution, the user would need at least one of the public keys of its certifiers, at least one of the certifiers of that key, and so on until a key is reached which has been signed by an authority present in the chain of certifiers of the user's own key. In an ideal world, these intermediate keys would be fetched automatically and invisibly by the MUA as required.

As signatures cannot be revoked (at least under PGP 2. x), it would be useful to include an expiry date in the certifying key's userID. Some time before expiry of the key, all users have to ask to have their keys re-signed with new keys before the old ones are revoked. Version 3.0 of PGP is expected to implement signature revocations, and it may be that this will be sufficient.