Imagine that you are about to order a T-shirt from the Power of CHEESE T-shirt Collective at www.poc.com. (Unfortunately, no such T-shirts exist, but suppose for a moment that they did.) In fact, such T-shirts, through a quirk of fate, happen to be free to all Columbia University users.
You find the order form on the Web, type in all of the billing information, and off goes your order. But how does the T-shirt seller know you are a genuine Columbia University user?
You could of course log in directly to the seller's Web server. But this would mean that not only do you have to give him your user name and password (a violation of the policy!) but the seller, once he has this information, must call up someone at Columbia on the phone and ask them to verify your username and password. Not only would it be poor security practice for any one of us to answer such call, but it would slow down your T-shirt delivery immensely.
There must be a better way, you are thinking.
And there is!
We have you log in to the Columbia University secure Web server; the server calls a cgi script that can only be accessed when you have logged in as a legitimate user. The script asks for a certificate in your name from our COD CA; this certificate is then sent off to the T-shirt seller as proof of who you are (and, in particular, that you are a member of Columbia University).
Because these certificates are granted 'on demand', the authority that issues them is called the Columbia University COD CA (Certificates on demand CA).
This sort of certificate is sometimes called a client certificate. If you have run into these elsewhere, you might know that there is usually a private key associated with the certificate. In our case, however, the certificates are used only to verify your identity on a one-time basis and need not be kept after that; nor are they used for signing mail or such services. In fact, you, the user, never see the certificate or the key; it is passed on ahead of you to the party you want to reach, as a signed statment of your authorization to access some particular service.
The Columbia University COD CA may in the future branch out into issuing longer-term certificates to individuals for use with mail or other services.