Root Signing Services
Leveraging Corporate Certification Authorities to issue globally trusted digital certificates
Benefit of a Unique Trust Model
Selected customers can adhere to the OISTE-WISeKey Trust Model and benefit of immediate recognition of the certificates issued out of a dedicated corporate CA, by inheriting our accreditations and recognition by browsers and operating systems
Enable your CA to issue Trusted Certificates
The OISTE Trust Model allows affiliates to adhere to it and operate Issuing CAs under the “Standard” and “Advanced” Policy Certification Authorities. A comprehensive description of the different certificate profiles is available in http://www.oiste.org/repository.
Affiliates can be enabled to issue these certificates:
- Standard Certificates: aimed to e-mail protection and non-legally binding digital signatures. These certificates reference an e-mail address, not the person’s identity.
- Advanced Certificates: aimed to legally binding signatures and a higher level of security. Advanced Certificates can be issued to:
- Physical persons or individuals
- Legal persons or corporations
- Applications (i.e. SSL Certificates)
- Device Certificates: specially adapted for the needs of connected devices in the Internet of Things
The “Domain Constraint” Approach
In order to effectively include third parties in our Trust Model, it is needed to ensure that affiliates can assume an independent control of their subordinated Certification Authorities respecting two base concepts:
- WISeKey/OISTE Certification Practices and Policies are respected
- There’s no interference with other possible affiliates in the Trust Model
The mechanism to ensure this is the “domain constraint” that limits the capability for a subordinated CA to issue certificates into a series of allowed Internet domains. For example, a customer could generate a CA that is constrained to the domain customerX.com, in this case, the domain constrained CA would allow to issue certificates including names as:
- A certificate that includes the e-mail: name@customerX.com
- A certificate that includes the e-mail: name@external.customerX.com
- SSL certificate that includes the server name: www.customerX.com
- SSL certificate that includes the server name: customer1.partners.customerX.com
As an alternative, WISeKey could build a Publicly Trusted CA, with no technical or name constraints, but this would imply that this CA must be independently audited before the operation and also to be included in our annual Webtrust audits.
If you are interested in Root Signing Services, please contact us at sales@wisekey.com and we will confirm if your project qualifies as for this service.