ARO’s perform a series of functions which allow the decentralisation and outsourcing of several activities required for the provision of certification services. In performing such functions, ARO’s are required to comply with:

• the Certification Practice Statement of the Affiliate Certification Authority it is subordinated to;

• the Certificate Policy corresponding to the certificates it processes (e.g. Identity Certificates, Confidentiality Certificates, etc.) and the Privacy Policy

• the ARO Administrator Guide; and

• the ACA - ARO Agreement

The essential functions ARO’s perform include:

• Identification of End Users

• Secure Cryptographic Key Pair Generation

• Requesting the issuance, renewal, suspension and revocation of certificates

• Maintaining archives of their operations, including the documentation presented by certificate applicants.

• Local training on information security and the use of public key certificates.

• Distribution of certificates, PIN letters and key pair storage devices to their customers.

• Additional Revenue Generating Services

One of the fundamental activities undertaken by AROs for the provision of certification services is the identification of the entity to which a certificate will be issued, be it an individual or a legal entity (i.e. company or other institution). Due to the ease of deployment and low cost of Affiliate Registration Organisation systems, they are ideal candidates to either directly perform the identification of certificate applicants or know what local entities can securely provide such identification services (e.g. notaries, chambers of commerce, and trade registries).

The Affiliate Registration Organisation can develop its own business plan to determine whether identification should be done directly by itself, or through a reliable outsourced entity that complies with the high-security identification procedures required in the WISeKey PKI and described in the CPS and Certificate Policy of the relevant Affiliate Certification Authority.

In some cases, the Affiliate Registration Organisation can be installed within an institution or a company in order to provide certification services for the employees of such an institution or company. The identification procedure may therefore be done internally as the records of each employee are already maintained and easily accessible.

In all cases, ARO’s are required to maintain an archive of all documentation used in the identification procedure (regardless of whether it is outsourced or not) as explained in the "Maintaining Archives" section below.

Most End Users do not have the capacity or knowledge to generate the cryptographic key pairs required for the issuance of a certificate. It is therefore necessary to provide them with a mechanism by which they can obtain cryptographic key pairs in a sufficiently secure manner by using appropriate algorithms and guaranteeing that a copy of such key pair is not held by anybody else.

Affiliate Registration Organisations have the capacity of generating cryptographic key pairs in a way that complies with international standards and provides the aforementioned guarantee. Where an ARO cannot provide this service, the Affiliate Certification Authority or Affiliate Registration Authority would do so on its behalf and deliver it directly to the End User or to the ARO.

The ARO system includes a standard implementation for high security key pair generation services. This is based on the capabilities of dedicated USB token and smart card products to generate key pairs on the hardware itself. At no moment is the private key ever outside the hardware in which it is generated (USB token or smart card) and it is protected in such a manner that there is no way to recover, backup or archive the private key.

c) Requesting the issuance, renewal, suspension and revocation of certificates

Affiliate Registration Organisations play a crucial role in the WISeKey Public Key Infrastructure as they constitute the "tentacles" that give local access and support to End Users. Consequently, End Users become THEIR CLIENTS, which represents an opportunity to offer other goods and services.

In doing so, they provide End Users with the possibility of locally sending the certificate requests for high-security certificates (which are more secure than certificates downloaded from a Web Site). ARO also provides a location that End Users can contact or visit to request the suspension or the revocation of their certificates in the event that, for example, they loose their private key. It is important to note that under no circumstances can the private key be recovered if the USB token or smart card are lost, destroyed or damaged. In such cases, a new key pair must be generated and a new certificate issued.

Affiliate Registration Organisations maintain archives of their operations in accordance with the Privacy Policy of the ACA under which it operates. This includes all of the physical documentation presented by certificate applicants during the certificate application process. These archives constitute an essential part of providing certification services because, in the event that the validity of a certificate or a digital signature is doubted, the procedure undertaken by the ARO and the documents archived will be the proof that the certificate issuance process was done appropriately and is therefore reliable as proof of identity and other aspects provided by the technology and the applicable law (e.g. integrity, legal validity, etc.).

e) Distribution of certificates, PIN letters and key pair storage devices to their customers

If the ARO decides to provide a full certificate processing center, they will have the capacity to locally manage the distribution of certificates, cryptographic key tokens and the PIN letters for the tokens. Depending on the implementation required by the ARO, this might include printing of smart cards (e.g. with the ARO logo, the client’s picture and/or the client’s logo).

Many ARO clients will require training on the problems that arise with regard to information security, on the use of certificates and other related areas. This may constitute an additional source of revenue for ARO’s and hence improve its business model.

As it is well-known, certificates are a tool that can be used for many purposes, in much the same way that a manual signature and identity documents have been for many centuries. WISeKey is constantly seeking applications in which the End Users can actively use their certificates. In order to satisfy the needs of their clients, the ARO’s may have a wide variety of applications and online services which their customers may be able to access upon payment of a subscription fee and purchasing a WISeKey certificate. In such cases, the ARO could generate additional revenue from the sale of subscription to such applications or online services.