Added Value Ticket (AVT)

These are regular X509 Digital Certificates, but they chain to an Allincontext Limited Intermediate Certificate which in turn chains to an AllIncontext Limite Root Certificate. The Root Certificate is actually a Trust Anchor because it is self-signed, just like any Commercial Certificate Authority (CA) Root Certificate. So, the AllIncontext Certificate heirarchy is:


The use of the Intermediate Certificate is to protect the Root Certificate Private Key which is stored off-line. Only the Root Certificate Public Key is on-line. A Certificate lower in the Heirarchy is signed by the Private Key of the Certificate above it. Each AVT is keyed to the PC that made the Certificate Signing Request (CSR). The AVT can be moved to another PC, but it will only act as a Standard X509 Digital Certificate, not an AVT. You can use the AVT to do Public Key Encryption and Decrpytion of Data, for example Files.

How secure are X509 Digital Certificates? Well, it is probably best to think of them as being able to protect Plain Text Data from casual perusal whilst the Plain Text is Encrypted as Cipher Text. For long term Encryption, Data should probably be Encrypted with a Symmetric Cipher which conforms to Authenticated Encryption with Additional Data (AEAD). Encryption without Authentication is not secure.

You also have to consider Bruce Schneier's Skill-Focus Matrix. An attack against Encrypted Data by someone with High Skill and High Focus will likely succeed. They will probably not try and brute force the Decryption of the Data (that is usually a Last Resort), but will try to gain access to the Private Key.