In the discussion that follows, note that the term "principal'' does not necessarily mean or imply "DCE principal.'' In a general sense, a principal is any name that can be authenticated\(emthat is, any name that has one or more associated key(s). A DCE principal (one that is registered in the DCE registry) has DES key(s) maintained within the registry, while a public key (PK) principal has one or more public keys (generally stored within certificates). The only situation in which a PK principal has to be a DCE principal is where an application is using the "registry retrieval'' policy (see "Direct secd Lookup: DCE Registry Lookup Policy Model'' below), since this policy retrieves the principal's public keys from a its registry entry.
The DCE certification service provides for the secure storage and retrieval (by principal name) of public keys. The keys are stored in the DCE directory service, under the principal names with which they are to be associated.
Principals' public keys are thus easily accessible through the namespace. However, in order to be regarded as valid (certified), the public key information must be properly "signed'' by the certifying authority (CA) authorized to deposit public key information for the principal in question. The public key, with the signature of the CA that issued it, is stored (together with various other data) in a format defined by the ISO 9594-8/X.509 standard and called a certificate. Just who the authorized certifying authority for a given certificate is is defined by the trust policy model applicable to the subject in whose name the certificate is issued.
The CA's signature is in the form of a checksum on the public key encrypted with the CA's own private key, and verifiable by decrypting with the CA's public key. The certificates are thus secure from tampering by any entity but the authorized (according to the defined policy model) CA, which alone possesses the private key required to sign the data.
More:
Component Parts of the DCE Certification API