1. Keep it safe

    Unipass is a service based on using digital certificates. Digital certificates make use of a technology called public key cryptography. During the collection process for a Unipass, your computer creates two keys: one - the Public Key, is published within your certificate and is also published in the Unipass repository, and the other - the Private Key, is stored on your computer. We do not have access to your private key. It is generated locally on your computer and is never transmitted to us. The integrity of your Unipass depends on your private key being controlled exclusively by you.


  2. How is my Unipass private key protected?

    Your private key is protected in two ways:

    1. It is stored on your computer's hard drive so you can control access to it.
    2. When your browser generates your Unipass private key at collection time, it may ask you for a password. This password protects access to your private key.
      A third party can access your private key only by:
      1. having access to the file your key is stored in (which is usually part of your system's configuration information) and
      2. knowing your private password. Some software permits you to choose to not have a password protect your private key. If you use this option, then you are trusting that no one, presently or in the future, will have unauthorised access to your computer.
      In general, it is far easier to use a password than to completely safeguard your computer physically. Not safeguarding access to your private key is a bit like pre-signing all of the cheques in your chequebook and then leaving it open on your desk.
  3. How should I protect my Unipass and its private key?

    The best way to protect your Unipass and its private key is to protect your computer from unauthorised access by keeping it physically secure. Use access control products or operating system protection features (such as a system password). You should take measures to protect your computer from viruses, because a virus may be able to attack a private key. We recommend that you also protect your private key with a good password.

    See http://csrc.nist.gov/publications/nistbul/csl96-08.txt concerning private key security and http://csrc.nist.gov/publications/nistbul/csl90-08.txt concerning computer virus attacks.

  4. What is a "good" password?

    A good password is one that is long enough and unusual enough that an exhaustive search (such as by using a dictionary) is not likely to reveal it. A good password is easy for you to remember but difficult for someone else to guess. Use a password of at least eight characters. Do not use something obvious or easily traceable to you, such as your telephone number, birth date, or the name of a member of your family. Do not use an ordinary English word, a familiar jargon term, or a password that you have previously used. If you write down your password, do not store it in an easily accessible place.

  5. I saw a form on a web page that asked for my private key password. Why do they need it?

    They DON'T. Never give your private key password to anyone. No legitimate business ever needs to know this information.

  6. Someone asked me to export my Unipass with the private key and send it to them. Should I do this?

    You SHOULDN’T, unless the request has come from the Unipass Helpdesk. If you are asked to do this, please contact the Unipass Helpdesk on 0871 22 12345. It is alright to send it without the private key as they cannot purport to be you then.

  7. Where does my computer store my private key?

    Your private key is typically stored on your computer in an encrypted-format file that can only be unlocked (decrypted) using your private key password. Different programs may store your private key in different places.

  8. I need to use my Unipass both at home and at work. Can I safely move my Unipass to another computer?

    As long as it's only for your own use. It is possible to move your Unipass from one computer to another, as long as both computers are running similar software, and you maintain the security of the Unipass at all times. We strongly recommend that you call the Unipass Helpdesk on 0871 22 12345 if you need to use your Unipass on more than one PC.

  9. Can I change my private key password without getting a new Unipass?

    Yes. Your private key password encrypts your Unipass private key. You can change this password (thereby re-encrypting your private key) using the program you used to create it. For example, with Netscape you can change your password from the "Passwords" dialogue accessed from the Security Preferences menu. You should immediately change your password if you think someone else may have learned it.

  10. I forgot my private key password, can someone change it for me?

    Unfortunately not. If you have forgotten your private key password, no one can help you recover it, and you will have to apply for a new Unipass. In addition, any secure E-mail messages encrypted using your public key will be effectively lost. In some cases you might also have to reinstall your E-mail software and web browser as well. We know this may not seem very helpful, but there is always a trade-off to be made between security and convenience. If there was some way for another person to recover your private key password for you, then he or she could steal it and use it for purposes you might not approve of.

  11. Someone stole my computer. Can they use my Unipass now?

    If you used a good password to protect your private key, then it is unlikely that the thief will be able to use your Unipass. However, you should still contact the Helpdesk on 0871 22 12345 to have your Unipass revoked and a new one issued to you (with a new public and private key).

  12. Someone stole my computer and I chose NOT to password-protect my Unipass. What do I do now?

    Notify the Helpdesk immediately on 0871 22 12345 that your Unipass has been compromised. We will then arrange to revoke your Unipass and get you a new one.

  13. I rely on my Unipass for very confidential communications. Is there any way I can further protect it?

    There are hardware devices available that are more secure than your hard drive for storing your private key. These are known as tokens (typically smart cards or USB tokens). We are evaluating some of these devices and their implications to see if they are suitable for the Unipass service.