- Digital Certificates
- We’ve encrypted the message digest so we should be safe, right? Well, not quite.
- Digital Certificates
- Q: How do we know that the public key that we’re using to decrypt the digital signature is not actually from an imposter?
- A: Digital Certificates
- A certificate essentially provides two things:
1) A party’s public key.
- 2) A statement with information about the owner of the public key.
- Another way to think of a digital certificate is a message digest for keys. In other words, a digital signature validates keys.
- The information provided with the certificate allows us to verify that the public key that we are receiving is actually from whom we expect it to be.
- This also protects the owner of the key because imposters will need to have the key AND a certificate to spoof their identity.
- Now we’re totally secure, right? Note quite.
- Certificate Authority
- Anyone can make their own digital signature. And anyone can make a digital signature say anything they want it to.
- Certificate Authority
- Q: How do we know a given certificate is really from the person it says it is from?
- A: Certificate Authorities
- The role of a Certificate Authority (CA) is to vouch that a given digital signature is actually from the person that the certificate says it is from.
- VeriSign, Thawte and the U.S. Postal Service are examples of CA’s.
- At this point we “trust” a CA because its reputation is on the line. If they lied, they would go out of business (and probably get sued).
- However, if we choose not to trust a particular CA, then we use Certificate Chaining.
- Certificate chaining is basically one CA vouching for another CA.
- A certificate chain can be infinitely long.
- At some point (if we want any work to get done) we have to trust someone.