Replacement of Lost User Certificates for instant IS access

摘要

This paper focuses on a practical aspect of employing user certificates for strong authentication in web based systems. As soon as users are dependent on X.509-certificates to access important resources as e.g. corporate information systems there has to be a fast workflow for securely replacing previously issued certificates in the possible case of loss or theft. The ordinary way to issue certificates is too time consuming, since it takes too much time, including checks, to determine whether a person has the right to obtain a certificate and to make sure that he or she is the one who is allowed to get this certificate. If a valid certificate is lost or stolen, the primary task is revoking the old unusable certificate and certifying a new key pair. Therefore, we suggest a workflow involving two priviledged colleagues to certify the identity of a third employee who has no access to his or her certificate. This workflow is currently being implemented in one and under consideration for deployment in another large PKI-project in Europe.