RA
Click on the red underlined text to get to the source
... CA) (possibly via a Registration Authority
(RA)) for the purposes of X.509 certificate production. The request
will typically include a public key ...
... certReq content. However, inclusion of additional
certReq content by RAs may invalidate the pop field. Data therefore
intended for certificate content MAY be provided in regInfo ...
... In order to prevent certain attacks and to allow a CA/RA to properly
check the validity of the binding ...
... certificate is requested. A given CA/RA is free to choose how to
enforce POP (e.g., out-of-band ...
... certification exchanges (i.e., this may be a
policy issue). However, it is MANDATED that CAs/RAs MUST enforce POP
by some means because there are currently many non-PKIX ...
... binding can only be assumed to have
been verified by the CA/RA. Therefore, if the binding is not verified
by the CA ...
... binding is not verified
by the CA/RA, certificates in the Internet Public-Key Infrastructure ...
... POP
during certification, in which case the RA MUST forward the end
entity's CertRequest and ProofOfPossession ...
... CA is not required
by policy to verify POP, then the RA SHOULD forward the end entity's
request and proof unaltered to the CA ...
... request and proof unaltered to the CA as above. If this is not
possible (for example because the RA verifies POP by an out-of-band
...
... out-of-band
method), then the RA MAY attest to the CA that the required proof has
been validated ...
... private key
to the CA/RA, or can be required to decrypt a value in order to prove
possession of the private key. Decrypting a value can be achieved
...
...
The direct method is for the RA/CA to issue a random challenge to
which an immediate response by the end entity ...
... entity (i.e.,
CA or RA) must establish a shared secret key in order to prove that
the end entity ...
... ProofOfPossession ::= CHOICE {
raVerified [0] NULL,
-- used if the RA has already verified that the requester is in
-- possession of the private key
...
... challengeResp (1) }
-- requests that CA/RA engage in challenge-response exchange with
-- end entity ...
... of a shared secret distributed in a trusted fashion between CA/RA and
end-entity. The salt value ...
... ProofOfPossession ::= CHOICE {
raVerified [0] NULL,
-- used if the RA has already verified that the requester is in
-- possession of the private key
...