Your CA should be able to assist you with key escrow and recovery
activity. You''ll need these services if any of the digital certificate
uses involve encrypting company-owned documents or messages. To
understand why this is important, it''s critical to understand the
distinction between message signing and data encryption. Typically,
digital certificates are used for one purpose or the other -- not both.
Each user will possess both a signing private key and an encryption
private key. It''s not important to recover a signing key since the
accompanying certificate is only used to verify a digital signature. If
the person leaves the organization, there''s no need to further verify
their electronic signatures. However, they may leave behind documents
that were encrypted using the public key from their digital certificate.
The only way to decrypt these documents is with the private key that
accompanies the encryption public key certificate. If you''re unable to
recover the key from their PC''s hard drive, you need a way to recover it
from your CA. The common solution here is to maintain a copy of the
entire key-pair (private key and public key certificate) at the time of
certificate generation. The CA should be responsible for this activity.
One other factor is also important. It''s better to issue people key pairs
that the CA system generates if they''re used for data encryption, and
it''s better to permit people to generate their own key-pairs when
they''re used for message signing. This is especially important with the
concept of non-repudiation.
IE 7
Firefox 2.0
