Someone asked me a question yesterday and I initially wanted to just point them at a document or website rather than type out my explanation. Unfortunately, 5 minutes of searching yielded no results. So, below is my guide to the difference between renewal, re-key, and re-issuance of an X.509 public key certificate.

• Renewal is when all the identifying information and the public key from the old certificate are duplicated in the new certificate, but there is a different (longer) validity period.

• Re-key is when all the identifying information from the old certificate is duplicated in the new certificate, but there is a different public key and (usually) a different validity period.

• Re-issuance is when a certificate holder registers for a new certificate, but there is an opportunity to change the identifying information (e.g. new email address, new last name, etc.) or other information (corrected certificate policies, modified key usage, etc.) from what was in the old certificate. The new certificate also has a different public key and a different validity period from the old certificate. ( Thanks to Carl Wallace for suggesting the addition of non-ID information changes. )

OK, so that’s one page for my as-yet unwritten book on PKI. I welcome ideas for other pages!

I presented at the MS-HUG Tech Forum today in Redmond. The title of my presentation was Saving Lives with PKI and SAFE Digital Signatures, and it provided information about Microsoft’s Identity Management solutions and the Office 2007 SAFE Signature Plugin we wrote. I co-presented with Avi Ben-Menahem, Lead Program Manager for PKI and Smart Card technologies at Microsoft.

The presentation is available for download in pptx and pdf formats.

I welcome any comments or questions!

As posted first in Les Jordan’s Life Sciences Developers and Architects blog, you can now download the SAFE Signing Interface for Office 2007 from http://www.codeplex.com/safe.

The project is the result of a collaboration between Gemini Security Solutions and Microsoft, and the result provides a fully SAFE-compliant digital signature interface. It’s open source, so you are welcome to download the code, enhance it as you wish, and (hopefully) share your changes back to Codeplex.

To learn more about SAFE, go to http://www.safe-biopharma.org.

The Windows Vista Security blog has a great post entitled FAQ: Why can’t I bypass the UAC prompt? which provides good answers to the common questions around User Account Control. It also gives some insight on why Microsoft made the design decisions that they did.

We expect that in ordinary day-to-day usage, users should rarely, if ever, see elevation prompts, since most should rarely, if ever, have to perform administrative tasks – and never in a well-managed enterprise. Elevation prompts are to be expected when setting up a new system or installing new software. Beyond that, they should be infrequent enough that they catch your attention when they occur, and not simply trigger a reflexive approval response.

UAC is a great feature and too many people cite it as a reason for not moving to Vista, or disable it once they have moved to Vista. I’ve been running Vista full-time for about a month now. Yes, while I set up the system and installed applications and drivers, UAC got on my nerves. Now, I only see it when I infrequently perform administrative tasks like installing software or changing system settings. I view this as a good thing.