Digital certificate: Difference between revisions
imported>Howard C. Berkowitz (New page: {{subpages}} Computer and communications security mechanisms that depend on public key encryption require confidence in the existence of a trusted means of obtaining the public key...) |
imported>Howard C. Berkowitz mNo edit summary |
||
Line 1: | Line 1: | ||
{{subpages}} | {{subpages}} | ||
Computer and communications security mechanisms that depend on [[public key | Computer and communications security mechanisms that depend on [[public key cryptography]] require confidence in the existence of a trusted means of obtaining the [[public key]] associated with the source of information to be decrypted. which is usually called a '''digital certificate'''. The administrative, organizational steps needed to make public key practical is called [[public key infrastructure]] (PKI). | ||
According to the [[Internet Engineering Task Force]] specification for such certificates, they are data structures that bind public key values to the rightful holder of the certificate. The binding is asserted by having a trusted [[certification authority]] (CA) digitally sign each certificate. "The CA may base this assertion upon technical means (a.k.a., proof of possession through a [[challenge-response protocol]]), presentation of the [[private key]], or on an assertion by the subject. A certificate has a limited valid lifetime, which is indicated in its signed contents. Because a certificate's signature and timeliness can be independently checked by a certificate-using client, certificates can be distributed via untrusted communications and server systems, and can be cached in unsecured storage in certificate-using systems. <ref name=RFC5280>{{citation | |||
|id = RFC5280 | |id = RFC5280 | ||
|title = Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile | |title = Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile |
Revision as of 00:03, 4 October 2008
Computer and communications security mechanisms that depend on public key cryptography require confidence in the existence of a trusted means of obtaining the public key associated with the source of information to be decrypted. which is usually called a digital certificate. The administrative, organizational steps needed to make public key practical is called public key infrastructure (PKI).
According to the Internet Engineering Task Force specification for such certificates, they are data structures that bind public key values to the rightful holder of the certificate. The binding is asserted by having a trusted certification authority (CA) digitally sign each certificate. "The CA may base this assertion upon technical means (a.k.a., proof of possession through a challenge-response protocol), presentation of the private key, or on an assertion by the subject. A certificate has a limited valid lifetime, which is indicated in its signed contents. Because a certificate's signature and timeliness can be independently checked by a certificate-using client, certificates can be distributed via untrusted communications and server systems, and can be cached in unsecured storage in certificate-using systems. [1]
While there are many details, think of a digital certificate as if it were a typical official document such as a passport:
- The passport holder is named
- There is some way of authenticating the holder's identity, such as a photograph
- The credential issuer can be verified (e.g., official seals and stamps)
- There is an understanding of the credentials granted by the certificate (i.e., the government of the issuing country asks the government of the country being visited to accept the passport holder)
- There are means of detecting forgeries (e.g., tamper resistant paper, biometrics)
- There is a way to verify if the certificate has been revoked (e.g., a traveler "hot list", or, in the case of digital certificates, a certificate revocation list (CRL)); a CRL may be transmitted and updated electronically
References
- ↑ D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk (May 2008.), Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC5280