L.1 Overview

The certificate used to create the signature needs to be linked to a trusted certificate authority (CA) certificate through a chain of trust to establish trust in the authenticity of a Descriptor’s digital signature. Since the root CA certificate has not been issued by another CA – it is by definition at the tip of the trust chain – trust in it is not established through technical means but through organisational measures.

The root certificates of a number of commercially operated CAs are included in operating system installations and are trusted by default, although users may decide to mark some of these root certificates untrusted (thereby revoking trust in them). A digital signature that can be linked to such a certificate is the most reliable way to establish trust in a Descriptor’s authenticity.

A company may also decide to operate an in-house root CA and share its root CA certificate with its customers, who then import it into their store of trusted certificates.

An engineering tool needs the capability to create a signing certificate and enrol it with a CA, thereby linking it to the CA’s certificate, to create digital signatures that can be trusted by parties other than the signer. The CA the certificate is enrolled with is typically a sub-CA of either a commercially operated or an in-house root CA.

While using a self-signed certificate in an engineering tool can be useful in special situations, it puts the burden of establishing trust in the certificate on the receiver of the Descriptor. Ideally, this is limited to scenarios where the signer has a secure way to transmit the certificate to the receiver of the Descriptor, e.g., by handing it over in person on a physical medium.