Table of Contents
Advertisement
Certificates and Authentication
A Certificate Identifies Someone or Something
A certificate is an electronic document used to identify an individual, a server, a
company, or some other entity and to associate that identity with a public key. Like
a driver's license, a passport, or other commonly used personal IDs, a certificate
provides generally recognized proof of a person's identity. Public-key
cryptography uses certificates to address the problem of impersonation (see
"Internet Security Issues," which begins on page 763).
To get a driver's license, you typically apply to a government agency, such as the
Department of Motor Vehicles, which verifies your identity, your ability to drive,
your address, and other information before issuing the license. To get a student ID,
you apply to a school or college, which performs different checks (such as whether
you have paid your tuition) before issuing the ID. To get a library card, you may
need to provide only your name and a utility bill with your address on it.
Certificates work much the same way as any of these familiar forms of
identification. Certificate authorities (CAs) are entities that validate identities and
issue certificates. They can be either independent third parties or organizations
running their own certificate-issuing server software (such as Netscape Certificate
Management System). The methods used to validate an identity vary depending
on the policies of a given CA—just as the methods to validate other forms of
identification vary depending on who is issuing the ID and the purpose for which
it will be used. In general, before issuing a certificate, the CA must use its
published verification procedures for that type of certificate to ensure that an entity
requesting a certificate is in fact who it claims to be.
The certificate issued by the CA binds a particular public key to the name of the
entity the certificate identifies (such as the name of an employee or a server).
Certificates help prevent the use of fake public keys for impersonation. Only the
public key certified by the certificate will work with the corresponding private key
possessed by the entity identified by the certificate.
In addition to a public key, a certificate always includes the name of the entity it
identifies, an expiration date, the name of the CA that issued the certificate, a serial
number, and other information. Most importantly, a certificate always includes the
digital signature of the issuing CA. The CA's digital signature allows the certificate
to function as a "letter of introduction" for users who know and trust the CA but
don't know the entity identified by the certificate.
For more information about the role of CAs, see "How CA Certificates Are Used to
Establish Trust," beginning on page 784.
Appendix J
Introduction to Public-Key Cryptography
771
Advertisement
Table of Contents
