6 The registration process

6.1.1 The registration process will need to be slightly different for each approach.

6.2 S.E.E. Key passport

6.2.1 The CA or a Registration Agent delegated by them, establishes the individual's identity as per the GateKeeper 100-point system.

6.2.2 The CA checks any email address in the certificate by sending an email to the address, and requesting a reply confirming the validity of the application.

6.2.3 The CA issues a S.E.E. Key to the individual.

6.3 S.E.E. Key business card

6.3.1 The CA registers the agency as a S.E.E. PKI agency

6.3.2 The CA determines those individuals who may act as a Sponsor, and optionally Registration Agent (RA) for the agency. This role must be delegated from the chief executive or a company director.

6.3.3 The CA establishes those names that the agency may use for the O field in certificates.

6.3.4 The CA establishes those Internet domain names that the agency may use in email addresses and server names in certificates.

6.3.5 The CA establishes to their confidence that the organisation has a right to use these organisation and Internet domain names.

6.3.6 The Sponsor approves requests

6.3.7 The Sponsor approves requests for certificates of those requesting a S.E.E. Key business card. In doing so, the Sponsor must be confident of the identity of the individual for whom the S.E.E. Key is being issued.

6.3.8 The CA issues the S.E.E. Key certificate at the request of the Sponsor, and ensures that the O field is set to one of the agency's registered organisation names, and that any email or server address includes only those domain names that are registered to the agency.

6.4 S.E.E. Key associate card

6.4.1 This process is the same as for the S.E.E. Key business card process except that:

• The CA requires that the O field in the certificate be set to "Associate registered by agency" where "agency" is a registered organisation name of the agency.

• The CA checks any email address in the certificate by sending an email to the address, and requesting a reply confirming the validity of the application.

6.5 Protection of the private key and the token

6.5.1 An important aspect of the trust in the registration process is how a person's private key and the token on which it is stored are handled through the registration process.

6.5.2 Ideally the smart token is given to the user who then uses the token to create a key pair (the private key never leaves the token), and the public key sent through the registration process to be embedded in the resulting certificate. However this is not mandated for authentication S.E.E. Keys (we may require this in future for legal digital signature).

6.5.3 Where the above process is not followed, the keys may be generated by the CA, RA or Sponsor and the token must be protected with a password known to the person, and to the CA, RA or Sponsor, or delivered in person.

6.5.4 If the private key is generated off the token, this must be done in a secure environment, and it must be loaded onto the token before being transported.

6.5.5 On receipt of the token, the person must change the password.