When should CERTAUTH or CERTSITE be the owner of a digital certificate?

Release: Top Secret 16.0

CERTAUTH is always the owner of Certificate Authority (CA) certificates.  If a certificate is used to sign other certificates it is a CA certificate and should be owned by CERTAUTH.

CERTSITE is the owner of personal (also called site) certificates that are going to be shared on multiple keyrings.  

Only the owner of a certificate can use the private key unless it is owned by CERTSITE.  Certificates owned by CERTSITE and added to other acid's keyrings will also add the private key. 

If an acid other than CERTSITE owns a certificate that certificate can be added to another acid's keyring, however; the private key will not be added.

If a personal (site) certificate is owned by an acid other than CERTSITE it should not be shared.

When CERTSITE is the owner of a personal certificate placed on an acid's keyring, the acid will need CONTROL Access to the IBMFAC(IRR.) resources.

If the acid is the owner of the personal certificate on its keyring then it will need READ Access to the IBMFAC(IRR.) Resources.