The DCE certification service is intended to form one part of an implementation of a public key based authentication (and data protection) service in DCE. Thus the first-level users of the certification API will be various components of DCE itself; for example, RPC. However, the certification service can also be (and is intended to be) used by distributed applications that wish to use public keys for their own authentication or data protection purposes. The high-level public key retrieval routines are designed for this kind of use.
The low-level certification routines, on the other hand, are intended for applications that wish to implement and add new policies and/or cryptographic modules. For example, adding a new policy will involve the following development task(s):
· Implementing and registering a policy module (see below)
For example, a mail application that wished to institute its own model for authenticating users by public
key would need to have its own policy module.
· (Optional) Implementing and registering a cryptographic module (see below)
Cryptographic modules implement the various signature algorithms required to allow
policy modules to verify retrieved certificates. Policy modules are generally concerned only with signature verification, and (due to licensing constraints) signature generation functions are not
supplied with the cryptographic modules provided with the DCE reference implementation. Applications that wish to use the public keys returned by the DCE certification facility will typically augment
the supplied verification functions with signature generation routines.
Other possible users of the DCE certification API might be developers who wish to implement their own signature algorithms (cryptographic modules). (Signature algorithms are specified in a field in the certificate; they are selected at the time a certificate is created.) Only developers who wish to add to the available signature algorithms, or who wish to add signature generation capability to a supplied algorithm, will need to implement new cryptographic modules.
The low-level certification API is not intended to be accessed directly by run-of-the-mill DCE applications.