The DutchGrid medium-security Certification Authority proves possession of the private key that is the companion to the DutchGrid medium-security Certification Authority root certificate by issuing certificates and signing CRLs.
The DutchGrid medium-security Certification Authority verifies the possession of the private key relating to certificates requests by out-of-band, non-technical means at the time of authentication and certification. Such verification may take the form of a directly posed question to requester. The information exchanged during the identity vetting phase is linked to the original key pair by providing a digest of critical key pair information on the same form or in the same message as the identity validation.
A cryptographic challenge-response exchange may be used to prove possession of the private key at any point in time before certification of subscriber.
The DutchGrid medium-security Certification Authority will not generate the key pair for subscribers and will not accept or retain private keys generated by subscribers. The DutchGrid medium-security Certification Authority or an RA may support the user is generating the key pair securely by providing software or hardware tools to generate or store a key pair.