The "Security Printer" model for CA operations
A simple new conceptual model to describe the role of backend CAs, likening them to secure printing bureaus, and thus decoupling CAs from business relationships between PKI end users.
Our historical view of the role of backend CAs has had them tied into the whole of the certificate management process. CAs tend to be joined in liability arrangements and contracts to potentially any wrongdoing or misadventure associated with certificates. CPs, CPSs and user agreements have been correspondingly difficult to construct. To date, the separation of roles of RA and CA has done little to quarantine the two functions from one another, nor to simplify liability arrangements. Accreditation remains complex and sensitive to the slightest changes at either the RA or CA.
This White Paper presents a new way of looking at backend CAs, likening them to conventional security printers, and outlines how a fresh metaphor might help simplify the accreditation of CAs.