Single Sign-On; Contents Of A Certificate - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Single Sign-on

B.4.3.3. Signed and Encrypted Email
Some email programs support digitally signed and encrypted email using a widely accepted protocol
known as Secure Multipurpose Internet Mail Extension (S/MIME). Using S/MIME to sign or encrypt
email messages requires the sender of the message to have an S/MIME certificate.
An email message that includes a digital signature provides some assurance that it was sent by the
person whose name appears in the message header, thus authenticating the sender. If the digital
signature cannot be validated by the email software, the user is alerted.
The digital signature is unique to the message it accompanies. If the message received differs in
any way from the message that was sent, even by adding or deleting a single character, the digital
signature cannot be validated. Therefore, signed email also provides assurance that the email has
not been tampered with. This kind of assurance is known as nonrepudiation, which makes it difficult
for the sender to deny having sent the message. This is important for business communication. For
Section B.3, "Digital Signatures".
information about the way digital signatures work, see
S/MIME also makes it possible to encrypt email messages, which is important for some business
users. However, using encryption for email requires careful planning. If the recipient of encrypted email
messages loses the private key and does not have access to a backup copy of the key, the encrypted
messages can never be decrypted.
B.4.4. Single Sign-on
Network users are frequently required to remember multiple passwords for the different services
they use, like logging onto the network, collecting email, using directory services, using the corporate
calendar program, and accessing servers. Users have difficulty keeping track of different passwords,
tend to choose poor ones, and tend to write them down in obvious places, and administrators must
keep track of a separate password database on each server and deal with potential security problems
related to the fact that passwords are sent over the network routinely and frequently, both of which
make using multiple passwords problematic.
The solution to this problem is single sign-on, which allows a user to log in once with a single
password and get authenticated access to all network resources that user is authorized to use, without
sending any passwords over the network. Both SSL client certificates and S/MIME certificates can
play a significant role in a comprehensive single sign-on solution; SSL client authentication allows
a user to log into the local client's private-key database and get authenticated access to all SSL-
enabled servers that user is authorized to use. This approach simplifies access for users because
they do not need to enter passwords for each new server. It also simplifies network management since
administrators can control access by controlling lists of CAs rather than much longer lists of users and
passwords.
In addition to using certificates, a complete single-sign on solution must address interoperability
with enterprise systems, such as the operating system, that rely on passwords or other forms of
authentication.
B.4.5. Contents of a Certificate
The contents of certificates are organized according to the X.509 v3 certificate specification, which has
been recommended by the International Telecommunications Union (ITU), an international standards
body.
495