The defence public key infrastructure (DPKI) X.509 certificate policy provides a full description of the DPKI and the role of the Defence Root Certification Authority (DRCA).
|This is Version 3.0, dated 8 October 08
||Object Identifier (OID) 1.2.826.0.1310.100.3
Public key infrastructure
A public key infrastructure (PKI) enables users of a public network such as the internet to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.
The X.509 standard
X.509 is a common standard for a PKI, specifying, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
About the Defence Root Certification Authority (DRCA)
The DRCA provides Trust Services for the defence environment and is the ultimate trust point for the DPKI. It provides support to authentication, integrity, confidentiality and non-repudiation services through the use of X.509 certificates.
The DPKI Trust Service (using the DRCA as its root) is a pan Ministry of Defence (MOD) provision that will be available to all MOD recognised projects, applications, services and entities that require it subject to approval from DPKI Policy Management Authority (DPMA). Through interoperability, the DPKI will extend its Trust Services to organisations and nations, such as NATO, the US Department of Defense, and Transglobal Secure Collaboration Participation Inc (TSCP), according to MOD business or operational requirements.
The DRCA maintains the root private signing key for the DPKI. It provides all subordinate certification authorities with their public and private keys that are embedded into certificates. It also issues authority revocation lists (ARLs) on a monthly basis to these certification authorities as well as emergency ARLs when required.
A strict process is followed to ensure the identity of those who request sub-ordinate certificates or emergency revocations and a validation process is invoked to ensure that they are authorised to do so.