Certificate-based KU Digital Credentials are available to faculty and staff who need to send and receive email that contains information which must be protected with encryption or that needs a digital signature that the recipient can use to confirm the sender's identity and message contents.
Certificates are issued in accordance with DigiCert Certification Practices.
There are three types of certificate-based KU digital credentials. Each identifies the user by name and email address but the type of certificate used by each one, and the method of handling the corresponding private key, is different. Currently only two of the three types are used.
For Email Security Plus (encryption) certificates DigiCert generates both the private key and certificate. It distributes these to the user and keeps a copy of the private key in escrow for the University's benefit. This may be retrieved by the person whose email address is in the certificate if they need to recover it for any reason. It may also be retrieved through an administrative procedure if it becomes necessary to recover encrypted material and the user cannot provide the key.
For Digital Signature Plus (authentication) certificates private key is generated directly on the user's computer so the user has the only copy. The user's computer sends the corresponding public key to DigiCert in a certificate signing request (CSR) and DigiCert returns a signed certificate. This provides "nonrepudiation" for use of the identity. The user controls the private key from the moment it is generated, so no one else can generate a signature or access a system using this identity.
For multi-purpose certificates (called Premium in DigiCert's product line and not currently used by KU), a single key/certificate pair can be used for both encryption and signing. The private key is generated on the user's computer and is not escrowed. If it is lost or unavailable, any material encrypted with it cannot be read, making it unsuitable for University business purposes.
Users will normally get both escrowed encryption and email authentication certificates. They then configure their email program to use the first for encryption and the other for signing. Encryption certificates can be published to the Exchange Global Address List to make them available to people who need to send encrypted email or documents. The process for this is documented in the email setup instructions. Prior to October 2011 KU used certificates signed by a KU-based Certification Authority. These required installation of the KU root certificate on any systems where they were used. The last of these expired on October 1, 2011. Users who have email encrypted with them should leave the certificate/key pairs installed for reading old email but the certificates cannot be used for encrypting new messages.
A set of digital credentials consists of two parts:
- a private key
- a public key certificate, which includes the public key, validity period, identification, and Certification Authority signature
Private keys are used to generate digital signatures and to decrypt email or files encrypted using the corresponding public key. It is important to keep them secret. Public keys, as the name implies, can be made available to anyone. They are used to verify digital signatures and to encrypt email or files and are often published in directories.
Because private keys for signing and encryption must be managed differently, each faculty or staff member using KU digital credentials will have a separate key and certificate pair for authentication and encryption.
The digital signature generated using a private key can be verified using the corresponding public key. Identity information contained in the public key certificate confirms the identity of the signer. The certificate, in turn, is signed by a Certification Authority (CA). The CA for KU escrowed encryption and email authentication certificates is DigiCert. DigiCert issues these certificates based on requests from KU after KU confirms the addresses and associated names through its identity management system.
The certificate specifies the identity of its subject, its validity period, permitted uses, identity of the issuer, and where information about revocation status and the issuer's policies and practices can be found.