In our previous post, we investigated the role of a Certification Authority. Today, we put the spotlight on another player of the Public Key Infrastructure (PKI) scheme, the Registration Authority (RA). Our RA Manager and AML Officer, David Paganotti, lend us a hand in defining and explaining what a RA does.
Registration Authority (RA) – Trusted Third Party role
As we saw last week, one of a Certification Authority’s main missions is to provide its customers with the means (i.e. certificates) to prove their identity in the online environment. Such certificates could be also used to apply electronic signatures. An e-signature can bear the same legal value as a handwritten signature when relying on a qualified electronic certificate.
Prior to the issuance of such a certificate, a Certification Authority (CA) must, in strict compliance to the European eIDAS (electronic Identification, Authentication and Trust Services) regulation, clearly identify the future certificate holder, check and validate his/her personal data.
Most of the times, the CA delegates this “Trusted Third Party” role to a network of Registration Authorities, that can be any type of company, business or institution. For example, LuxTrust’s RAs are mainly banks, but not only, as the first still operating RA is Luxembourg’s Chamber of Commerce.
The identification process requires many resources (in terms of headcount and time), so it is more judicious for CAs to develop partnerships with RAs. On the other hand, by managing the identification process by their own means, the RAs have the opportunity to enter in contact and start relationships with future possible clients.
What does a Registration Authority (RA) do?
Under the control and management of a RA Chief and Deputy, the RA staff, including RA Officers and Identifying Agents (duly trained directly by the Certification Authority), identify the qualified certificate requester in a face-to-face procedure (or equivalent according to eIDAS standards). This procedure is based on the verification of the requester’ official ID document (ID card or Passport). The RA staff also controls that the personal data that will appear on the digital certificate matches the data of the ID document.
This verification guarantees the issuance of a certificate that really does represent the holder’s trusted digital identity.
Furthermore, the RA also manages the certificate’s life-cycle in case a legitimate holder requests a revocation. The RA proceeds to the requested changes of certificate status. The RA also keeps and archives all the documentation directly linked to all the “Trusted Third Party” operations, from the issuance of the certificate until its revocation. This guarantees a complete audit-trail of all documents, data and checks, in case of legal disputes.
What does it involve to be RA?
RAs, just as CAs, are regularly audited which ensures the legality and validity of the identification process. In LuxTrust’s case, all RA operations are regularly controlled in the frame of the Certification Authority’s internal audits. In addition, they are audited once a year also through onsite missions in the context of LuxTrust’s annual certification audits.
LuxTrust has been a Certificate Authority since its inception in 2005. Equipping more than 700,000 users from around the world with trusted digital certificates, the company disposes of an extensive network of RAs in Luxembourg and abroad. Should you wish to find out more about how you can equip your employees or clients with digital certificates, drop us an email here.
Disclaimer: The above represents LuxTrust’s understanding of the relevant law or regulation and should not be taken, relied on or interpreted as a legal opinion. Customers are encouraged to seek independent legal advice before acting on this information.