An official website of the United States government.

This is not the current EPA website. To navigate to the current EPA website, please go to This website is historical material reflecting the EPA website as it existed on January 19, 2021. This website is no longer updated and links to external websites and some internal pages may not work. More information »

Cross-Media Electronic Reporting Rule

Lesson 7: Key Decision 1 - Type of Credential Used (continued)

For example, consider the following two types of credentials:

  • Shared secrets in the form of PINs or passwords
  • Certificates associated with private-public key pairs that are used to execute digital signatures
Type of Credential
Example Solutions Solution A
PINs or Passwords
Solution B
Private-Public Key Pairs
Issuing Credential Requires Secure Socket Layer (SSL), Transport Layer Security (TLS) or another technology during setup to protect them as they travel between registrant and system. The private key—which is used to execute the signatures—can be generated at the user's work station, so may not need to travel between registrant and system.
Binding Signature to Document Content Execution of a PIN- or password-based signature does not bind it to the document signed, so the system must provide additional functionality to provide for signature binding. The digital signature executed with the private key is bound to the document signed because the signature is just the hash value of the document content encrypted with the private key.
Signature Validation Can rely wholly on internal system records of PINs or passwords registered or issued by the system. Where the certificate associated with the key pair is issued by a third party—for example, where this is a PKI certificate—then validation requires interaction with the issuing authority to determine that the certificate is valid.
Including Signatures in Copies of Record Signatures consisting of the PIN or password "in the clear" need "shielding" on the CORs—for example by being encrypted or hashed—so that PINs and passwords are not compromised by providing access to the CORs. Access to a digital signature on a COR does not raise any issues of credential compromise because a digital signature does not include and provides no way to derive the private key needed to execute it.

Private Public Key Pairs

Each user has a pair of cryptographic keys—a public key and a private key. The private key is kept secret, while the public key may be widely distributed.

Digital Signature

A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped.

Public Key Infrastructure (PKI)

PKI enables users of a basically unsecure public network, such as the Internet, to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

Back | Next