UTHSC-H Digital IDs
Middleware |  Identity Management |  Directory Service |  Authentication |  Authorization |  Digital IDs
 

Registration Agent (RA) Policies and Procedures

Registration Agents (RAs) at The University of Texas Health Science Center at Houston (UTHSC-H) are trusted individuals who:

  • Provide important assurances of the identity of individuals requesting Digital IDs and/or guest access to restricted UTHSC-H information resources,
  • Approve applications for certification of Digital IDs jointly issued by The University of Texas Health Science Center at Houston and VeriSign Inc., and
  • Approve applications for guest access to restricted UTHSC-H information resources.
Formal agreements between VeriSign and U. T. System require that RAs be individuals who have demonstrated trustworthy behavior while employed by UTHSC-H. These agreements, U. T. System policy and UTHSC-H policy require an RA to assure an applicant's identity by requiring an applicant to:
  • Personally appear before the approving RA, and
  • Provide the approving RA two forms of personal identification (ID), both of which must incorporate the applicant's picture. One ID must be a government issued ID, e.g., a driver's license or a passport, and the other must be a UTHSC-H identification badge. (Note: individuals applying for guest access are required only to provide a government issued picture ID.)
In all cases, it is crucial that an applicant appear in person before an RA with proof of identification as indicated above, before that RA approves the applicant's request. Inappropriate verification and approval activities by an RA leave UTHSC-H susceptible to significant liabilities.

Failure of an RA to require both a personal appearance and the required identification, or failure to view the applicant's required identification documents, will result in the RA being subject to disciplinary action - including termination of employment.

In addition to the initial approval process, there are several subsequent services that an end-user may request of an RA. These activities include revoking a certificate for a user, resetting a user’s challenge phrase, and helping a user renew a certificate when he is unable to do so using the online tool. In each of these cases, the RA must also follow specific policies and procedures as indicated below.

Revocation

An RA may not act on anyone's telephone request to revoke a user's certificate. Although this action does not carry the risk of accidentally tying a key pair to the wrong person, it does create the possibility that an RA will invalidate someone's certificate counter to her wishes. 

Usually a user requests revocation because of a system failure resulting in loss of the private key. In such instances, the user is unable to send a digitally signed request. Therefore, we must follow the procedure below in order to establish reasonable proof that the owner of the digital ID desires a revocation:

  • A user will need to appear before his department's PC support person (LAN manager or help desk personnel) to request that his digital ID be revoked.
  • The PC support person will then need to send a digitally signed message to an RA requesting the user's digital ID be revoked.
  • If the PC support person is unavailable, then the user must appear before an RA to get their digital ID revoked.
When explaining this procedure to desktop support personnel, please send them this template to utilize so they will know what information needs to be included in such requests:

      ________________ has physically appeared before me and has formally requested that his/her UTHSC-H Digital ID be revoked immediately for the following reason(s):

Resetting of Challenge Phrase

Usually this request arises when the user is about to renew his certificate, and finds that he has forgotten his challenge phrase. The challenge phrase must not be reset under any circumstances without a signed e-mail from the user requesting that it be reset. Resetting the challenge phrase for a particular certificate on the request of an unauthorized user, brings that user one step closer to renewing someone else's certificate and having complete access to that private/public key pair. If you reset the challenge phrase, you must transmit the new challenge phrase to the user via encrypted e-mail. If the user requests that a certain challenge phrase be used, that challenge phrase must also be sent over encrypted e-mail. 

Renewing When Challenge Phrase Has Been Forgotten

As described above, the user must send a digitally signed request if she wants her challenge phrase reset so that she may proceed with normal renewal procedures. As an alternative, based on the user's digitally signed wishes, you may also may revoke the certificate and then approve the person's new application. Neither of these methods should be used unless you get a digitally signed request from the user, which irrevocably ties that person to that key pair.

Please remember that despite PKI’s inherent strength, the strong link between person and key pair are only as strong as our RA policies. Under no circumstances should an RA be pressured to break these procedures.
 

     Digital ID Home Page     

Last Modified: 
Office of Academic Computing
Copyright © 2003 The University of Texas Health Science Center at Houston