4 Who should decide which CAs to use?

4.1.1 When an agency decides to use a particular CA to issue certificates to its staff, it affects all those who may need to rely on those certificates. If these certificates are used to interact with other agencies, then those other agencies need to rely on these certificates.

4.1.2 Therefore an agency's choice of CA is an all-of-government issue and needs to be managed by a body representing all agencies interests. We propose that the SSC's E-government unit be charged with managing which CAs can be used for S.E.E.

4.2 How does the choice of CA affect other agencies?

4.2.1 When an application processes a certificate, for example an email client processing a signed message, or the CFISnet server processing a certificate presented by a web browser, it needs to rely on the certificate:

• It must check that the certificate is from a trusted source, and currently the way to do this is to check it against a list of trusted CAs.

• It must verify that the certificate is authentic by checking its signature.

• It must check that the certificate has not been revoked. To do this it needs to look in the certificate for a CRL Distribution Point (CDP), which is the place to find a certificate revocation list (CRL), then retrieve the CRL and check this certificate is not in CRL. The CRL must exist, be accessible by certain protocols, and must not be too slow to retrieve.

• It must check that the unique ID in the certificate matches the entity it is communicating with.

• Due to the potential attacks a CA could attempt on systems (see Issue Paper 2), we need confidence in the CA's operations and their staff.

• It may rely on particular attributes of a certificate to determine access.