RS : Public <<block>> Block
Created: 06.02.2018 09:58:03
Modified: 07.02.2018 18:47:38
Project:
Advanced:
The Registration Server is an entity, which contains the relation of a long-term certificate  and multiple pseudonyms of a user. <br/>Its purpose is to provide a possibility to de-anonymize a user in case of lawful intervention. IT does this by linking the pseudonym to a long-term certificate, which can be linked to a real identity by the Long-Term Certificate Authority. <br/><br/>By signing pseudonymous certificates for the user registered within the Registration Server, the server certifies that he is able to correlate the certificate with the real identity of a user. However, the Registration Server does not know where this certificates are used and other entities do not have the possibilities to cross reference the certificates to a real identity. <br/><br/><br/>
Element Message
«block» Identity Management Client  
Details:
Type: Sequence Synchronous Call
 
«block» Identity Management Client  
Details:
Type: Sequence Synchronous Call
 
«block» Identity Management Client  
Details:
Type: Sequence Synchronous Call
 
«block» Registration Server verifySignature
Details:
Type: Sequence Synchronous Call
The RS verifies the signature against his stored userCertificate, to make sure the signature is valid.
«block» Registration Server sign
Details:
Type: Sequence Synchronous Call
The Registration Server signs the certificate, to verify that he knows the corresponding long-term certificate.
«block» Registration Server sign
Details:
Type: Sequence Synchronous Call
If the signature of the user could be verified, the RS signs the certificate with his private key.
«block» Identity Management Client  
Details:
Type: Sequence Synchronous Call
 
Element Message
«block» Registration Server verifySignature
Details:
Type: Sequence Synchronous Call
The RS verifies the signature against his stored userCertificate, to make sure the signature is valid.
«block» x.509 Root Certification Authority sign(RR-certificate)
Details:
Type: Sequence Asynchronous Call
 
«block» Identity Management Client csr
Details:
Type: Sequence Synchronous Call
The IMC start a certificate signature request (CSR) with the serviceCertificate. It also provides the signature, as a proof that he owns the private key of the userCertificate. The IMC does not sign the serviceCertificate, as this would link it directly with its userCertificate and would destroy the pseudonym.
«block» Registration Server sign
Details:
Type: Sequence Synchronous Call
The Registration Server signs the certificate, to verify that he knows the corresponding long-term certificate.
«block» Registration Server sign
Details:
Type: Sequence Synchronous Call
If the signature of the user could be verified, the RS signs the certificate with his private key.
«block» Identity Management Client register
Details:
Type: Sequence Synchronous Call
The IM-C registers itself on one or more Registration Servers with the use of its Long-term Certificate. Based on this certificate, the server has a possibility to tie pseudonymous certificates to the real identity of the user.
«block» Identity Management Client register
Details:
Type: Sequence Synchronous Call
The user registers with his certificate at the Registration Server. In this step, he might also provide additional registration information, which is dependend of the registration server, like payment information. The userID is only unique to the RS and is used to manage the users. It might as well be derived from the certificate, e.g. by using the certificate fingerprint.
«block» Identity Management Client requestSignature
Details:
Type: Sequence Synchronous Call
The IM-C sends the pseudonymous certificate together with a signature to the Registration Server. By doing this signature, IM-C proves, that he has the private key associated with the long-term certificate. Therefore, the Registration server knows, that IM-C is the right user.
Property Value
_defaultDiagramType: SysML1.4::InternalBlock
Object Type Connection Direction Notes
«block» x.509 Root Certification Authority Block Dependency From By providing a signed certificate to the RS, the Root-CA proofs to other entities, that they can trust this specific RS.