•   Deutsch
  •   English
  •   Français

for digital signature
and email encryption
JULIA MailOffice (JMO)

 

for closed communication of ways
with fixed Communication partners
 JULIA closed Communication (JcC)

 

by meaningful reduction of the
operating platforms and algorithms
to robust communication
JULIA robust Communication (JrC)

 

Automated download of certificates
("managed PKI") via Trustcenter

The task

The service "managed PKI" for automated download of certificates encloses the automated issuing, complicating and administration of certificates by the Trustcenter.

This service uses two different classes of certificates. At first at least one administrator or responsible of your company will be identified by the PostIdent procedure and will get a class 3 end user certificate. The identified certificate enables to apply for every further employee of your company class 2 end user certificates that will be issued by the Trustcenter.


Hierarchy and validity of the certificates

Under real conditions to the recipients the trustworthy of the root certificate is elemental for accepting end user certificates. For this reason CA certificates will fist be signed by a trusted browser certificate and then will be granted automatically by almost every user software worldwide (99.3 % of all common browser/email applications). No warning message or request for applying manually or accepting the certificate by the user will appear.

The maximum validity period of the end user certificate will last five years from day of issue.

Classes of certificates

The certificates are classified by worldwide standards and do not correspond to official classes. The classes lay down the:

  • method of validation check
  • method of identity check of the certificate holder


The certificate classes determine the degree of trustworthy in the procedure of issuing certificates. The managed PKI service uses the classes 2 and 3.


Class 2

The class 2 certificate requires that you confirm the correctness of the person's details. The identification routine will be done via an approved service (e.g. a partner company) or by a personally identified certificate holder of the same organization.


Class 3

The identification of a class 3 certificate will be done by a PostIdent procedure. The Trustcenter identifies the applicant of a class 3 certificate by a certified procedure of the PostIdent which is a method to safely and individually identify persons by the employees of the Deutsche Post Corporation.

Certificate authority

The certificate authority issues the certificates. The necessary data will come from the registration authority or centrally be issued by the certification service manager. This manager will carry out the registration fully automatically for all the requests coming via the mail gateway. The manager forwards the approved issues via the interface to the control centre and further on to the certifying service. Then the certification service manager will issue the class 2 and class 3 certificates. After the issue of a class 3 certificate the control centre prints out the corresponding PIN letter and sends it to the customer.


Directory service

The directory service serves to publish certificates and revocation lists.

Certificates and revocation lists remain in the directory service for retrieval and verification purposes. The retrieval and modification of information of the directory service is realized by the Lightweight Directory Access Protocol (LDAP). This network protocol is specified in the RFC 4511 (request for comments).

You can download the signed certificates and revocation lists from the directory service. With the revocation list the customer can locally check if the certificate is blocked. The revocation lists will be issued by the certification service once a day.

Interface to the customer

The customer's mail gateway is the interface between customer and Trustcenter. It is charged with class 2 and class 3 end user certificates and class 3 key files (PKCS#12 file) from the Trustcenter.

The mail gateway uses the services of the Trustcenter and enables an automated and reliable data exchange by email that is transparent to the user. Incoming and outgoing data are managed at central position. 

You can import the keys into the mail gateway and administrate them there. No distribution of certificates onto the employees? computers will follow. All certificates are administrated centrally.

Central email data exchange based on certificates
and electronic signatures

 

Issue of class 3 certificates

The issue of a class 3 certificate is done automatically, except of the application data that are verified by the registration authority. You only can file an application when indicating the number of your master agreement. For this purpose first deposit the master agreement at the certification service manager.

The applicant is a responsible or the administrator of the customer's mail gateway system. This person applies a class 3 certificate with the online application form and then will be identified by the PostIdent routine.

The procedures of application, identification and verification of the application of class 3 certificates are similar to the procedures of application, identification and verification of qualified certificates. These procedures already exist and only are mentioned for the sake of completeness. The new procedures of issuing, issue verification and publishing will be done fully automatically.


Issue of class 3 certificates

A class 3 certificate holder applies for a class 2 certificate by email and the Trustcenter sends it by email, too. Each certificate requires an application by email and will be sent by a separate email.

A class 2 certificate holder can hold several certificates.

Blocking an end user certificate

Class 2 and class 3 end user certificates are valid for five years.

Under certain circumstances, e.g. when compromising the signature key or the identification details of a certificate holder changes, the certificates will become invalid before the end of its validity period. In that case the appropriate certificate has to be blocked.

The Trustcenter implements following three blocking services:

  • blocking by email
  • blocking by mail
  • blocking by phone

The condition for a blocking is that the applicant calls for the blocking procedure and can authenticate himself at the Trustcenter. The authentication of the applicant is different for the three blocking procedures.

The authentication is done for:

  • blocking by email with verifying the electronic signature
  • blocking by mail with verifying the handwritten signature
  • blocking by phone with verifying the blocking password for phone calls