Table of Contents
Advertisement
You can use the self-signed certificates if the iFolder is deployed in a trusted environment.The
certificates are generated by using the YaST CA Management plug-in or OpenSSL tools.
Section 6.6.1, "Understanding Digital Certification," on page 78
Section 6.6.2, "Creating a YaST-based CA," on page 79
Section 6.6.3, "Creating Self-Signed Certificates Using YaST," on page 81
Section 6.6.4, "Exporting Self-Signed Certificates," on page 83
Section 6.6.5, "Exporting Self-Signed Private Key Certificates For Key Recovery," on page 84
Section 6.6.6, "Using KeyRecovery to Recover the Data," on page 85
Section 6.6.7, "Managing Certificate Change," on page 86
6.6.1 Understanding Digital Certification
To protect user data from access by unauthorized people, the user data is encrypted by using keys
that always occur in private and public key pairs. The keys are applied to the user data in a
mathematical process, producing an altered data record in which the original content can no longer
be identified.
Private Key: The private key must be kept safely by the key owner. Accidental publication of the
private key compromises the key pair and can also be a security threat. The private key is either held
by the Recovery agent or the user.
Public Key: The key owner circulates the public key for use by third parties.
Certified Authority (CA): The public key process is popular and there are many public keys in
circulation. Certified Authorities are the trustworthy organizations that issue and sign public key
certificates. The CA ensures that a public key actually belongs to the assumed owner. The
certificates that a CA holds contain the name of the key owner, the corresponding public key, and the
electronic signature of the person or entity issuing the certificate. The iFolder Recovery Agents are
examples of one kind of CA.
Public Key Infrastructure (PKI): Certificate authorities are usually part of a certification
infrastructure that is also responsible for the other aspects of certificate management, such as
publication, withdrawal, and renewal of certificates. An infrastructure of this kind is generally
referred to as a Public Key Infrastructure or PKI. One familiar PKI is the X.509 Public Key
Infrastructure (PKIX). The security of such a PKI depends on the trustworthiness of the CA
certificates. To make certification practices clear to PKI customers, the PKI operator defines a
certification practice statement (CPS) that defines the procedures for certificate management. This
should ensure that the PKI issues only trustworthy certificates.
X.509 Public Key Infrastructure: The X.509 Public Key Infrastructure is defined by the IETF
(Internet Engineering Task Force) that serves as a model for almost all publicly-used PKIs today. In
this model, authentication is made by certificate authorities (CA) in a hierarchical tree structure. The
root of the tree is the root CA, which certifies all sub-CAs. The lowest level of sub-CAs issue user
certificates. The user certificates are trustworthy by certification that can be traced to the root CA.
X.509 Certificate: An X.509 certificate is a data structure with several fixed fields and, optionally,
additional extensions. The fixed fields mainly contain the name of the key owner, the public key,
and the data such as name and signature relating to the issuing CA. For security reasons, a certificate
should only have a limited period of validity, so a field is also provided for this date. The CA
guarantees the validity of the certificate in the specified period. The CPS usually requires the issuing
78
OES 2 SP1: Novell iFolder 3.7 Administration Guide
Advertisement
Table of Contents
