Esmd aor
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

esMD AoR PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

esMD AoR. Functions of an X.509 Certification Authority (CA). CAs and t rusted online transactions. Table of Contents. Slide Title 3 Trust and PKI 8 Certification Authorities 14 Certificates 19 Identity Proofing 24 PKI Services 28 Direct Transaction Process

Download Presentation

esMD AoR

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Esmd aor


Functions of an X.509 Certification Authority (CA)

Cas and t rusted online transactions

CAs and trusted online transactions

Table of Contents


3 Trust and PKI

8 Certification Authorities

14 Certificates

19 Identity Proofing

24 PKI Services

28 Direct Transaction Process

29 Direct Provisioning

30 Q & A

31 Acknowledgements

32 About DigiCert



  • Trust occurs between people: Technology by itself is not sufficient to solve “Trust”issues

  • A Trust Framework is a set of standards that combines technology with policies on how and when a technology is utilized/applied, who the participants are, and what their roles and responsibilities are in the system

  • Public Key Infrastructures are a common methodology for implementing trust frameworks

What is pki

What is PKI?

  • Public Key Infrastructure

  • Comprehensive security technology and policies using cryptography and standards to enable users to:

    • Identify (authenticate) themselves to network services, access policies, and each other to prove source of origin and destination.

    • Digitally sign electronic documents, email and other data to provide authorization and prove integrity.

    • Encrypt email, data, and other documents to prevent unauthorized access.

Why pki

Why PKI?

  • Uniform way to address securing many different types of applications

  • Enables reliable authentication, digital signing and encryption of data/documents/identities

  • Overcomes many weaknesses of using password based protocols on open networks

  • Facilitates easy setup of shared secrets between previously unknown parties

  • Strong and proven underlying security technology

  • Widely included in technology products

Applications of pki

Applications of PKI

  • Authentication and Authorization of end points in an internet transaction

    • e.g. users and servers, server to server, user to user

    • This is the basis for the SSL protocol used to secure web connections using https.

  • Secure Messaging

    • e-mail (signed and encrypted)

    • Secure instant messaging

  • Electronic signatures

    • Documents, data, agreements

    • Prescriptions, Insurance authorizations, case notes

  • Data encryption

    • Medical records, Diagnostic datasets, Business documents, Financial data, databases, executable code

  • Network data protection (VPN, wireless)

Components of pki

Components of PKI

  • Certification Authority (CA)

    • Policy (CP) & Practices (CPS)

    • Registration Authority (RA)

      • Practices (RPS)

      • Local Registration Agent (LRA)

  • X.509 Digital Certificates

    • Contents

      • Identity, Usage, Public Key, Validation

    • Types

      • Trust Anchors & enablers

        • Root Certificates, issuing authorities, cross-certificates

      • End Entities

        • Client, Server, Device, Group, Role

  • Cryptography

    • Algorithms & Protocols

    • Asymmetric Keys

      • Public Key, Private Key

    • Services

      • Authentication, Digital Signature, Encryption

What is a certification authority

What is a Certification Authority?

  • An organization that creates, publishes, and revokes certificates.

  • Verifies the information in the certificate, binds identities to cryptographic keys.

    • May outsource identity verification to Registration Authority

  • Protects general security and policies of the system and its records.

  • Allows you to check certificates so you can decide whether to use them in business transactions.

  • Has one or more trusted Roots, called a trust anchor embedded in applications

What is a registration authority

What is a Registration Authority?

  • An organization that collects and verifies the identity information that will be used in a certificate based on published standards.

  • Represents a Certification Authority for any face-to-face validation of identity

  • Must be authorized by the relevant Certification Authority for this purpose

    • Audit of processes required

    • Archival of evidence data required

Ca ra relationship

Registration Authority (RA)

Certificate Authority (CA)

Identity/Trust Verification

Compile/Validate Identity and Trust Documentation

Certificate Validation Service

Revocation Services

Certificate Signing Services

Certification Practices Statement

Registration Practices Statement


RA Agreement



CA – RA Relationship

Source: February, 2012

Health information service provider hisp

Health Information Service Provider (HISP)

  • Duties of a HISP:

    • provide subscribers with account and Direct addresses

    • provide web portal or EHR/PHR integration

    • arrange for identity verification - org and individual [RA function]

    • arrange for digital certificate issuance, management [CA function]

    • maintain integrity of trust and security framework

    • stay current with federal policies and regulations

Hisp configurations

HISP Configurations

A HISP may run its own CA, but outsource RA functions to an accredited RA

A HISP may run its own CA, and RA functions internally



A HISP may outsource both CA and RA functions to accredited entities

A HISP may run its own RA, but outsource CA functions to an accredited CA



What is a certificate

What is a Certificate?

  • Signed data structure (x.509 standard) binds some information to a public key.

  • Trusted entity, called a Certification Authority (CA) asserts validity of information in the certificate, enforces policies for issuing certificates.

  • Certificate information is usually a personal identity, a server name, or a service identifier, with authorizations for how the keys should be used.

  • Think of a certificate with its keys as an electronic:

    • ID card,

    • encoder/decoder device, and

    • official seal or notary-style stamp.

X 509 certificate

X.509 Certificate

X 509 certificate1

X.509 Certificate

X 509 certificate2

X.509 Certificate

Types of certificates

Types of Certificates

  • DigiCert issues a number of different types of certificates. These are governed by the policy(s) they are issued under and the profile being applied:

    • SSL certificates (standard, Wildcard*, UC)

      • EV, OV, DV

    • Code Signing (including EV Code Signing)

    • Client Certificate (individual, group, role)

      • Level 1 Personal, level 1 Enterprise, Level 2 Corporate, Level 3 High Assurance / FBCA med / Direct, Level 4 High Hardware Assurance / FBCA Medium Hardware, PIV-I

      • Authentication Only

      • IGTF & Grid-Only

    • Device and Host certificates

      • L1 through L4

      • IGTF & Grid-Only

Identity proofing for certificates

Identity Proofing for Certificates

Identity proofing for certificates1

Identity Proofing for Certificates

Identity proofing for certificates2

Identity Proofing for Certificates

Identity proofing for certificates3

Identity Proofing for Certificates

Identity proofing for certificates4

Identity Proofing for Certificates

  • Group Certificates

    • DigiCertmay issue a group certificate (a certificate that corresponds to a Private Key that is shared by multiple Subscribers) if several entities are acting in one capacity and if non‐repudiation is not required. DigiCertor the RA records the information identified above for a sponsor before issuing a group certificate. The sponsor must be at least an Information Systems Security Officer or of the equivalent rank or greater within the organization.

    • For Direct certificates, the HISP ISSO and the Provider organization representative are both validated

  • Device Certificates

    • DigiCertissues Level 1, 2, 3 or 4 Client and Federated Device Certificates for use on computing or network devices, provided that the entity owning the device is listed as the subject. In all cases, the device has a human sponsor who provides:

      • Equipment identification (e.g., serial number) or service name (e.g., DNS name),

      • Equipment public keys,

      • Equipment authorizations and attributes (if any are to be included in the certificate), and

      • Contact information.

    • Sponsor is also vetted according to processes defined of individual at required LoA

  • Identity is revalidated according to the following schedule:

    • Device Certs: at least every 39 months

    • Individual Certs (levels 1 thru 4): at least every 9 years (if 3-year cert)

Pki services

PKI Services

  • Certificates (containing public keys) and corresponding private keys are used to provide a range of cryptographic services:

    • Confidentiality (encryption)

    • Integrity (digital signature)

    • Authentication (digital signature)

  • Multiple algorithms and standards can be used

    • Federal Information Processing Standards (FIPS) exists for federal agencies

      • e.g. FIPS 186 for Digital Signatures



Asymmetric encryption prevents need for shared secrets.

Anyone encrypts with public key of recipient.

Requires some mechanism for discovering intended recipient’s public key

Only the recipient can decrypt with their private key.

Private key is secret, so “bad guys” can’t read encrypted data.

Digital signatures

Digital Signatures

Compute message digest, encrypt with your private key.

Reader decrypts with your public key.

Re-compute the digest and verify match with original – guarantees no one has modified signed data.

Only signer has private key, so no one else can spoof their digital signature.





A CA - Certification Authority, signs a certificate attesting that the public key belongs to the entity named in the certificate

Certificate Policy indicates what steps are taken to verify identity and how the CA systems operate to ensure security and integrity

CA is a Trusted Third Party providing a seal of authenticity

Use of certificate provides reliability and non-repudiation in the identity of the source or destination of a transaction



Certificates vetted to FBCA Medium LoA standard ensures strongest binding between PKI keys and identity listed in the cert

HIPAA Covered Entity Assertion governed by DirectTrust CP

PKI Encryption ensures confidentiality in messages

PKI Digital Signatures ensures integrity and reliability of messages

PKI Authentication provides authenticity and trust of message reaching intended recipients

Direct identity trust and address provisioning

Assume has Digital Identity Certificate

Registration Authority (RA)

Certificate Authority (CA)

Domain Name System (DNS)

Compile/Validate Identity and Trust Documentation

Identity/Trust Verification

Certificate Validation Service

Revocation Services

Certificate Signing Services

HCO Representative

Health Information Service Provider (HISP)

LDAP Name System

Healthcare Organization (HCO)

Direct Identity, Trust, and Address Provisioning

The CA and RA enforce the policies specified in the and FBCA Certificate Policies (CPs).

6. Certificate Signing Request

7. Direct Organization Certificate

2. Request Direct Organization Certificate

3. Credentials and Documentation

  • Representative FBCA Credentials

  • Representative Authorization

  • Legal Entity Documents

  • Membership/Trust Agreement

  • HIPAA status

5. CSR + Public Key

4. Direct OrganizationDomain

8. Direct Organization Certificate

1. Enroll with HISP

9. Direct Address/ Org Certificate

Source: February, 2012

Related ca questions and answers

Related CA Questions and Answers

  • What ability is there to issue multiple digital credentials with one identity proofing?

    • This is perfectly allowable process, typically an already credentialed entity presents their original certificate as proof of identity binding and can be issued a certificate of equal or less LoA

    • Identity must be revalidated periodically via original process (at least 39 months for device, 9 years for individual (including group certs)

  • What is the Revocation process

    • DigiCert provides a Managed PKI interface (hosted web portal) that allows for issuance, revocation and renewal of certificates.

    • DigiCert also provides an API (REST-based) for application integration that has similar functionality

  • What about Proxy Certificates for delegation of rights

    • Proxy certificates are issued by end entities and not by a CA. As such they are typically not trusted in browsers without appropriate plugins to circumvent the trust validation up to an embedded Root

    • Proxy certs are used quite successfully in other communities e.g. IGTF and where purpose built application manage them appropriately



  • Scott Rea, CISSP

    VP GOV/EDU Relations and Sr. PKI Architect

    DigiCert, Inc. Lindon UT 84042

    (Also note: Member of

  • [email protected]

  • (801) 701-9636



About digicert

About DigiCert

A Few Facts

DigiCert – a local interface to your global trust community.

  • DigiCert established in 2003, a Root CA

  • DigiCert’s management has combined about 100 years experience in internet security

  • Frost & Sullivan and Netcraft survey ranks DigiCert 3rd largest high-assurance CA

  • DigiCert is growing fast 

  • WebTrust audited

  • DigiCert growing its business globally

146 Countries and Growing!

About digicert1

About DigiCert

Who Uses DigiCert?

DigiCert provides encryption and authentication services to over 50,000 customers.

About digicert2

About DigiCert

DigiCert Trusted Roots

DigiCert Trusted Roots

Already Embedded In:

  • Web Browsers

  • AOL

  • Firefox

  • Google Chrome

  • Internet Explorer

  • Safari

  • Konqueror

  • Camino

  • Mozilla

  • Netscape

  • Opera

  • Mobile Devices

  • Android OS

  • Blackberry OS

  • iPhone OS

  • Nokia E-Series Phones

  • Palm

  • Symbian OS

  • Windows Mobile

About digicert3

About DigiCert

Rapid Growth

DigiCert is the 3rd largest provider of high assurance SSL certificates and among the world’s fastest growing companies:

About digicert4

About DigiCert


DigiCert features more 5-star reviews than any other Certificate Authority on Here are a few user-generated quotes:

“This company is 5/5 for me, and I’m the kind of guy who could rate something as 4.97 / 5 out of sheer pickiness” (Dec 16, 2010)

“These guys have provided the best level of customer service Ihave ever experienced anywhere.” (Dec 22, 2010)

“Miles above the other well known names. Thanks a million to DigiCert and their team” (Oct 22, 2010)

About digicert5

About DigiCert


DigiCert SSL Certificates Feature:

99.5% Browser Compatibility

Unlimited Server License

Secure Trust Seal

Award-winning 24/7 customer support

$1,000,000 Warranty

About digicert6

About DigiCert


Easily manage thousands of SSL certificates with our enterprise-grade, web-based PKI.

Instantly approve or reject certificate requests.

Intuitive user interface with multiple levels of authority.

Assign business units to sub-accounts with limited access.

Centralize control while distributing workload.

About digicert7

About DigiCert

Industry Leader

DigiCert leads the industry toward better practices by participating actively in the following groups:


CA/Browser Forum

Four Bridges Forum

About digicert8

About DigiCert


DigiCert has been recognized multiple times for its excellence in customer value, customer support and the workplace.

  • Login