5. Organizational Aspects

5.1. Dual Access Control

dual access control (physical and technical but first organizational aspects)

5.2. Privacy vs. Security

privacy vs. security (e.g. camera recorders)

5.3. Enforcement of Access Control

access control but who controls the access control regulations (no self control)

5.4. Privacy Officer Integration

how to integrate privacy officers public certificates - not always public certificates - which fields must be published? PID vs. new ID what is the identity of a person in conventional areas?

5.5. Enterprise Integration

already existing ERP DBs meta directories

5.6. Parallel use of several end user PKIs

There are numerous situations where it is a good idea to operate more than one PKI for end users. Perhaps you need a server CA and a separate user CA. Sometimes an old CA is still active in issuing CRLs because there are still valid certificates but the new CA issues the newer certificates. Other people use different CAs to establish an easy access control by certificate chains (so called trust paths). As you can see there are really many situations where you have to operate more than one PKI.

Most PKI programmers like me have no problem in distinguishing between different PKIs, because we always ask ourselves as to who issued the certificate. Normal users instead look at the certificate, call the hotline and ask why their certificate for Jon Doe with serial 12345 does not work. At the other end the guy from the hotline looks into his computer and answers that the certificate is correct and valid. So what's going on?

A certificate has two significant elements to identify a certificate, which are different from the common name in the subject of the certificate, and which are easy to handle. The keyID and issuer from the authority key identifier are however not easy to interpret for an end user. First there is a serial and second there is an issuer. If a customer calls a hotline then the easiest way to handle a problem is by using organization wide unique serial numbers. If you start a second CA or you have to replace an old CA, never reuse serial numbers if possible. You will have to search for hours if somebody calls you and reports a broken certificate chain for a certificate 12345 when you have two of those certificates. If you ever issued certificates with identical serials then always ask the issuer if you receive an error report. Never ever create a replacement for an old CA with the same name. It only causes trouble.

To sum it up in a simple manner: If you avoid duplicate identifiers then you automatically avoid many problems.