Entwurf eines Konzepts für eine Zertifizierungsstelle für die Freie Universität Berlin

Public key cryptography and the key certification needed to apply it will be a building block of confidential and authentic communication on the Internet and hence of its wide-spread use in research, commerce and everyday communication. To enable and promote the use of public key cryptography, especially among the members of the Freie Universität Berlin (FU Berlin), a concept is presented for the installation and subsequent operating of a public key certification authority (CA) for the FU.
The concept proposes the certification according to two slightly different sets of certification guidelines (policies) derived from the respective policies of the DFN PCA project, one with basic security requirements, the so-called "low-level policy", and one policy with enhanced security requirements, resulting in a "medium level" of security. The low-level certification may be performed mobile "on location" on the occasion of, e.g. events like the University’s summer fest, whereas the mediumlevel certification is allowed to take place only in-house in the rooms of the computer centre of the FU Berlin (ZEDAT) that will host the FU CA. This two-way strategy shall enable the CA to better promote itself and its services among the members of the university, as this is deemed essential for building a reputation, gaining the users’ trust and raising their awareness for the (in)security aspects involved with Internet communication.
For the certification process itself, a laptop computer running Linux as operating system is suggested due to the openness and more effective security features of this OS in comparison to the Windows variants available. To facilitate the build-up and initial operating of the FU CA, detailed to-do lists and step-by-step directions are given for some of the routine procedures in a CA.
In addition, the legal aspects of running a CA in Germany are briefly sketched, thereby concluding that it would not be possible to run the FU Berlin CA as a CA as described in the German Digital Signature Law (Signaturgesetz) due to the law’s high demands on physical, staff and organizational security measures which exceed the means the university could dedicate to this project.