1) A Key Requestor makes a request to recover one or more of a user’s keys.
2) The request is queued for Key Request Agent 1 (KRA1). An email notification is generated to notify all the members of the KRA1 group — as well as any other individuals that should be notified, such as security officers or Legal — that a key recovery process has commenced.
3) KRA1 retrieves and reviews the request to determine whether it is appropriate and meets applicable policies and agency guidelines. KRA1 can then approve or reject the request, or allow it to expire.
4) If approved by KRA1, an email notification is generated to alert Key Request Agent 2 (KRA2). KRA2 reviews the request to determine if appropriate and meets applicable policies and agency guidelines. KRA2 can then approve or reject the request, or allow it to expire.
5) If approved by KRA1 and KRA2, the Requestor is notified that request has been approved and the keys are ready for recovery. The Requestor may recover the keys to an approved storage format.