The network infrastructure will provide core components for implementation due to the particular importance of digital certificates. This will be based on tried and tested standards and technologies as well as open source solutions analogous to existing systems (e.g. DFN-PKI). The technologies provided should be independent of the type of certificates and their data (school reports, vocational training certificates, academic achievements, professional qualifications or respective partial achievements, visas for students, etc.). The digital certificates should be implemented in a sustainable way with regard to technology, open standards, vendor lock-in, transparency of the code base, but also with regard to licensing models (investments and costs) in order to ensure broad acceptance.

Confirmation of authenticity and integrity of certificates

An important aspect of the networking and utilisation of digital certificates is their integrity and authenticity. To ensure both, certificates and their data are digitally signed. Digital signatures are secured and verifiable by issuing digital certificates. A proven standard for issuing and managing such certificates is the use of a Public Key Infrastructure (PKI). Within the PKI, certification authorities (CA) ensure that trustworthy certificates are issued. Registration authorities (RA) ensure that only clearly identified and authorised institutions are authorised to issue certificates. 

By issuing certificates, educational institutions cannot determine who is authorised to access the network infrastructure and who is not. What certificates an educational institution issues to whom and for what purpose is not part of the process. In addition, certificates are not centrally stored or archived. The issuing of certificates is the responsibility of the educational institution, on which "Mein Bildungsraum" has no influence and cannot exert any influence. Only the authenticity and integrity of a certificate issued by the educational institution can be confirmed by means of a digital signature via “Mein Bildungsraum”.

Certification Authorities: a trusted anchor

The basis for the secure handling of certificates is a structure that all parties can trust: Before educational institutions as signing authorities receive a certificate confirming their signature, it must be ensured that they are authorised to sign. To do this, they must authenticate themselves to the registration authority (RA). The RA checks whether the signing authority is authorised to sign the relevant certificates. If so, the certification authority (CA) is informed. The CA issues a certificate to the signing authority. CAs are the central 'trust anchor' in this process, confirming that digital signatures come from a trusted organisation. The CA certificate allows educational institutions to sign verifications. These certificates are technical in nature and are not subject or content-related, such as those issued by an educational institution itself for a learner's achievement. This process simply enables the educational institution to sign certificates for the ultimate purpose of delivering them to learners.

Formal criteria instead of a central register

There is still no central register of educational institutions in Germany which, in conjunction with a registration office, can be used to identify institutions and their authorised issuers. This information is available in the federal states or, in some cases, only regionally. Against this background, it is not possible to create a central office within the framework of the network infrastructure. For this reason, the RAs and authorisation offices are designed to be decentralised. It is important in the review that only formal criteria are defined and no criteria in the direction of quality standards.

Further information 

• Technical components of “Mein Bildungsraum”
• Frequently Asked Questions (FAQ)