Cowles, Robert D. wrote:
As I have said before, the purpose of a CA it to be sure that if it is issuing a certificate either the DN has not been used before by that CA or it can verify that it is issuing the Cert to the same person as used the DN before. Unfortunately, this means storing Personally Identifiable Information so you can have something to check at time of renewal / re-issue ... and we are being required to have more and more protection associated with any PII we retain.
Well no-one said it was an easy task being a CA!. I would expect the CA to keep copies of all the documents on which it made its decision (photocopies of passports, ID cards or whatever) plus an audit of the messages that were exchanged. regards David
Bob Cowles
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************