Index of documents supporting the Grant of Approval to the Ministry of Defence’s
Defence Root Certification Authority service.
Base Approval Profile | tSd0111 | 3.00 |
Approval Profile for a Certification Authority | tSd0102 | 3.01 |
Approval Profile for Signing Key Pair Management | tSd0103 | 3.02 |
Approval Profile for Certificate Generation | tSd0104 | 3.01 |
Approval Profile for Certificate Dissemination | tSd0105 | 3.01 |
Approval Profile for Certificate Status Management | tSd0106 | 3.01 |
Approval Profile for Certificate Status Validation | tSd0107 | 3.01 |
Approval Profile for Registration | tSd0042 | 3.02 |
What the tScheme Approved Service Mark signifies
When a trust service carries the tScheme Mark, you can be secure in the knowledge that:
For each service, tScheme approval is regularly reviewed and may be withdrawn.
This Grant of Approval does not affirm or endorse any claims of conformance to standards or adherence to guidelines not explicitly listed as forming part of the service assessment.
Approved Service - Service Description
Defence Root Certification Authority (DRCA)
This Grant of Approval relates to the MoD’s service known as the Defence Root Certification Authority (DRCA). It does not cover the wider Defence Public Key Infrastructure (DPKI).
The DPKI X.509 Certificate Policy Version 3.0 (dated 8 Oct 08 | OID 1.2.826.0.1310.100.3) provides a full description of the DPKI and the DRCA’s role. This policy document is publicly available at www.mod.uk/pki.
The DRCA provides Trust Services for the Defence environment and is the ultimate trust point for the DPKI. It provides support to authentication, integrity, confidentiality and non-repudiation services through the use of X.509 certificates.
The DPKI Trust Service (using the DRCA as its root) is a pan-MoD provision that will be available to all MoD recognised projects, applications, services and entities that require it - subject to approval from the DPKI Policy Management Authority (DPMA)1. Through interoperability, the DPKI will extend its Trust Services to Organisations and Nations that the MoD has a business or operational requirement, such as NATO, the US DoD and TSCP.
The DRCA (specifically the Hardware Security Module) maintains the Root private signing key for the DPKI. It provides all sub-ordinate CAs with their Public and Private keys that are embedded into certificates. It also provides revocation information by issuing Authority Revocation Lists (ARL)2 on a monthly basis to these CAs as well as emergency ARLs when required.
A strict process is followed to ensure the identity of those who request sub-ordinate certificates or emergency revocations and a validation process is invoked to ensure they are authorised to do so.
To become a customer of the DRCA, the potential customer must outline their justification for wanting to enrol by raising a DRCA Subordinate CA
Request. The DPMA will decide on a case-by-case basis whether to permit or deny the request, the outcome of which will be relayed back to the
customer. The DRCA Subordinate CA Request document outlines the customer request procedures, the obligations of the involved parties and the request
forms themselves. Customers could potentially be any organisation or Ally that has a business or operational relationship with the MoD.
1 The DPMA is the governing body of the DPKI.
2 ARL is a term unique to Entrust technology. For clarity in this document, the term ARL can be interpreted as CRL (Certificate Revocation List).
Participants in the electronic trust services industry strive: