Digital identity systems employ a layered key architecture to strike a balance between security and operational flexibility. Root keys provide the highest level of trust, while signer keys handle the issuance of day-to-day credentials. This separation protects the most sensitive cryptographic assets while enabling credentials to be issued at scale.
The layered approach
DMVs and other credential issuers don't sign millions of credentials directly with their most protected key. Instead, they use a hierarchy: a root key at the top authorizes one or more subordinate signer keys, and those signer keys perform the actual credential signing.
The root key is the ultimate trust anchor. It's secured in the highest-grade HSM, accessed rarely, and protected by the most stringent controls. The root key’s primary job is to authorize subordinate keys, often by issuing certificates to intermediate or document-signer keys, so verifiers can validate a chain of trust.
Signer keys, also known as document signer keys, manage the day-to-day tasks of signing credentials. When a DMV issues a mobile driver's license, a signer key is used to generate the digital signature. These keys are still protected in HSMs, but they're more accessible for operational use.
Why separation matters
This separation of duties keeps the root key highly protected while still enabling issuance at scale. If a signer (document signer) key were compromised, the root key could still authorize a replacement signer key, but the incident response typically involves distrusting or revoking the signer certificate, potentially impacting all credentials that rely on that signer key unless the program has an independent credential-status model.
By contrast, if organizations used a single key for everything (not recommended!), compromising that key would undermine the entire credential program. Every credential ever issued would become suspect, and rebuilding trust would require starting from scratch.
What is key rotation?
Signer keys are rotated on a defined schedule (often monthly, sometimes shorter) to limit exposure if a key is compromised and to enforce operational discipline, thereby limiting the impact if one is compromised. Each rotation creates a new signer key, authorized by the root key, while the previous signer key is retired.
Rotating signer keys helps limit the impact of a breach. If a signer key is ever stolen, the attacker can only keep using it until verifiers stop trusting that key (for example, after it’s revoked or expires). After a rotation, new credentials are signed with a different key, so a stolen older key can’t be used to forge newer credentials.
Key rotation also supports operational security practices. Regular rotation ensures that key management procedures are tested and functioning correctly, that backup systems are working as intended, and that the organization can respond quickly if a genuine compromise occurs.
How do verifiers handle key hierarchies?
When a verifier checks a credential, they validate the entire chain of trust. They confirm that the credential was signed by a valid signer key and that the signer key was authorized by the root key. This chain validation ensures that even though verifiers don't interact directly with the root key, they can trace trust back to it.
Verifiers can keep a trusted list of root keys that act as the top-level trust anchors for each issuer. In this case, when a DMV rotates its signer keys, verifiers usually don’t need to change that root list, but they do need a way to learn and validate the new signer certificate (for example, via the certificate chain included in the presentation, a trusted update service, or an updated trust list).
Root key ceremonies
Because root keys are so critical, their creation and management often involve formal ceremonies with multiple participants, witnesses, and audit trails. These ceremonies ensure that no single person can create or access a root key alone, reducing the risk of insider threats.
Root keys may be stored in HSMs located in physically secure facilities, accessed only under strict protocols, and used solely for the purpose of authorizing signer keys. This extreme protection reflects their importance: the root key is the foundation on which all credential trust rests.
Want to keep learning?
Subscribe to our blog.
