This action might not be possible to undo. Are you sure you want to continue?
Introduction to digital certificates:
A digital certificate is equivalent to an electronic ID card. It serves two purposes:
To establish the identity of the certificate To distribute the owner's public key
Certificates provide a way of authenticating users, referred to as authentication by trusted third parties. Instead of requiring each participant in an application to authenticate every user, third-party authentication relies on the use of certificates, electronic ID cards. Certificates are issued by trusted parties, called certificate authorities (CAs). These authorities can be commercial ventures or they can be local entities, depending on the requirements of your application. Regardless, the CA is trusted to adequately authenticate users before issuing certificates to them. Also, when a CA issues certificates, it digitally signs them. When a user presents a certificate, the recipient of the certificate validates it by using the digital signature. If the digital signature validates the certificate, the certificate is known to be intact and authentic. Participants in an application need only to validate certificates; they do not need to authenticate users themselves. The fact that a user can present a valid certificate proves that the CA has authenticated the user. The descriptor trusted third-party indicates that the system relies on the trustworthiness of the CAs.
What are digital certificates?
Digital certificates are primarily used to authenticate communication over the Internet. There are three categories of digital certificates. Web Server Certificates, Developer Certificates and Personal Certificates:
Web Server Certificates: These are the electronic
equivalent of a business license. It assures potential customers that the site they are visiting is a
2. which are used primarily to authenticate e-mail communication. Personal digital certificates provide assurance that the person or entity sending the e-mail is who they say they are. developers to sign software and macros and deliver them safely to customers over the Internet. she can be assured that the e-mail is actually from Joe.legitimate business. 3. it gives them confidence they are dealing with the real you. The customer can be confident that the software or macros are legitimate. certificates provide additional assurance that only the intended party can access the data and that the data will not be compromised en route. Developer Certificates: These certificates enable For simplicity purposes. Personal Certificates: These certificates secures email conversations and access to corporate web servers. The receiver of the message verifies the certificate using the certifying authority's public key and. If Sue sees a signed icon in an e-mail message she receives from Joe. Digital certificates allow one to have confidence that the person or company with whom they are communicating is indeed who they claim to be. and credit card purchasing to be conducted in a secure environment. now confident of the public key of the sender. The most secure use of authentication involves enclosing one or more certificates with every signed message. When used in combination with encryption (this ability comes with the certificate). verifies the . online trading. certificates are similar to a business license in that they validate a business is legitimate. They are both provided to you by a trusted source. Digital certificates allow applications like e-mail. this paper will focus primarily on Personal Digital Certificates. When you show this as proof of identity to someone else. For a company. Personal certificates are like a driver’s license or a passport.
Notice the lack of jargon and the use of familiar terms in the second two definitions. wherein one certificate testifies to the authenticity of the previous certificate. The public key of the top-level certifying authority must be independently known. " Equifax defines them as "electronic credentials that allow secure communications between two parties. At the end of a certificate hierarchy is a top-level certifying authority. Digital certificates help identify and encrypt electronic messages over networks like the Internet. I was amazed at how difficult these companies make it for a non-technical person to understand what a digital certificate is and why they are necessary. There may be two or more certificates enclosed with the message.com defines digital certificates as the . for example. The first two are from providers’ web sites and require a basic understanding of encryption and private and public keys. company intranets or extranets. which is trusted without a certificate from any other certifying authority. Definitions: As I was researching this paper. forming a hierarchical certificate chain. They allow verification of the claim that a specific public key does in fact belong to a specific individual. Take a look at the four definitions below. The second two are from informational websites that are designed to help people understand the terms used in ecommerce. A digital certificate attaches the holder’s identity to a unique pair of software keys: a Informational Website Definitions: Internet. Provider Definitions: RSA Security defines digital certificates as "digital documents attesting to the binding of a public key to an individual or other entity.message's signature. by being widely published.
digital certificates are not all the same. They are computer files a person attaches to anything they may send over the Internet.509 is a recommendation.509 standard is not really as standard at all. Instead. "both Netscape and Microsoft use X. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be. Each party in a SET transaction requires a digital certificate that identifies him as the legitimate user of a bank card or credit card or merchant account.509 standard – which defines what information must be contained in a digital certificate. and vice versa.509 Certificate generated by Netscape may not be readable by Microsoft products.com defines them as "an attachment to an electronic message used for security purposes. the person you are communicating with may not know it because the software they are using doesn’t recognize it. the X. And." X. Here’s the catch. In an attempt to overcome this issue. companies have implemented the "standard" in different ways. even if you have a digital certificate. They contain information like the certificate owner's name. .509 As one might expect. passports. This means that it has not yet been officially defined or approved and as a result.electronic counterparts to drivers' licenses. For example. X. the name of the certificate authority (CA) that issued it and a public encryption key. and to provide the receiver with the means to encode a reply. the International Telecommunications Union (ITU) developed the X.509 certificates to implement SSL in their Web servers and browsers. therefore. or membership cards. But an X. Webopedia.
The digital signature of the owner. The message-digest function is run over all these fields. The date on which the certificate was issued. you must send a certificate request to the CA. The distinguished name of the issuing CA. The digital signature of the issuing CA. If the owner in the request is successfully authenticated. the application can check that the CA is considered trustworthy by the site. The certificate request includes the following: • • • The distinguished name of the owner (the user for whom the certificate is being requested). a fully qualified name including not only the common name (CN) of the owner.) The information in a certificate allows an application to decide if it should honor the certificate. but the owner's organization and other distinguishing information. Specifically. The public key of the owner. including information about the owner of the certificate and the issuing CA. The CA verifies the signature with the public key in the request to ensure that the request is intact and authentic. a certificate includes: • • • • • • The distinguished name (DN) of the owner. With the expiration date. The public key of the owner. Exactly what the authentication consists of depends on a prior agreement between the CA and the requesting organization. With the name of the issuing CA.Requesting certificates To get a certificate. Using certificates: Chains of trust and self-signed certificates . The date on which the certificate expires. The CA then authenticates the owner. A DN is a unique identifier. the CA issues a certificate for that owner. (The message-digest function is run over all the preceding fields. Contents of a digital certificate : A certificate contains several pieces of information. the application can determine if the certificate is still valid.
Digital Certificates are your digital passport. . you must have the public key of the issuing CA. Used together. you reach a starting point. Eventually. When sending e-mail using Netscape Messenger. To automatically sign outgoing discussion (news) messages enable the Sign discussion (news) messages. The recipient will see a signed icon that indicates the message has been signed – that is. Once a person has purchased a digital certificate from one of the many sources (listed later in this paper). To have the system automatically sign all outgoing messages. Click on the Messenger link to display the Messenger Security Settings and enable the Sign mail messages. The starting point is a root CA that issues itself a self-signed certificate. the recipient will see a signed icon if he or she is also using Netscape (we’ll get into this issue later in the paper as well). They are verification of you who you are and the integrity of your data. How DCs protect the data Encryption & Digital Certificates are the solution for Internet Commerce. an Internet ID. These keys and certificates are stored in keyring. How do you use Digital Certificates? Personal certificates are primarily used for e-mail. open the Netscape Communicator Security Advisor by choosing Security Info from the Communicator menu. One CA can certify other CAs. Since public keys are distributed in certificates. In order to validate a user's certificate. all of whose public keys you need. including the user's. Encryption is the process of using a mathematical algorithm to transform information into a format that can't be read (this format is called cipher text). Then you have the public keys you need to validate each certificate. That certificate will be signed by the issuer. they protect your data as it travels over the Internet. so there can be a chain of CAs issuing certificates for other CAs. when it is possible checkbox. Decryption is the process of using another algorithm to transform encrypted information back into a readable format (this format is called plain text). when it is possible checkbox. . you need certificates for all intervening participants. back to the root CA. they can begin signing outgoing messages.To verify the digital signature on a certificate. you must have a certificate for the issuing CA. though. select the Message Sending Options tab in the message window and enable the signed checkbox.
Your computer would then send the certificate. encryption and digital certificates protect and secure your data in the following four ways:. Before anyone access the data. if it is actually the President. Token verification is more secure. For this to be compromised. your boss emails the company president stating that you should be fired. Example. When you need access to a system. It is very easy to send spoofed email. Token verification: Digital tokens replace your password which can be easily guessed. such as social engineering. i. Using standard email.e. etc. Tokens offer a more secure way of access to sensitive data. It maintains it encrypted (gibberish) state during it's travel through the Internet. It is not de-crypt until the recipient receives it. you digitally encode verifiable proof of your identity into the email. With digital certificates.0.encommerce.com Encommerce: www. Digital Certificate Providers CertCo: www. Your message is encrypted into incomprehensible gibberish before it leaves your computer. they are prompted with their user login id and password. AND know your password to de-crypt the file. Encryption: This ensures that your data was unable to be read or utilized by any party while in transit. this is easily cracked using various security software (such as Crack 5. Because of the public-key cryptography used (discussed later) only the recipient can decipher the received message. I can email anyone in the world pretending I am the President of the United States. your email cannot be altered without the recipient knowing. there is no way to verify who the sender is.com/ . it routes through various gateways (way stations). Passwords are not secure. • Authentication: This is digital verification of who you • • • are. passwords can be found with other means. With digital signatures and certificates. that systems asks you for your digital certificate instead of a password. When email or other data travels across the Internet. then resend the message. Also. much in the same way your driver's license proves your identity.digsigtrust. in encrypted format. no one else can. alter. It is possible for people to capture.000 raise. Integrity: This is the verification that the data you sent has not been altered. authorizing you for access. The most common way to secure data or a web site is with passwords. through the Internet. Your digital certificate is an encrypted file that sits on your hardrive.com/ Digital Signature Trust: www.Combined. However.). It is possible for you to intercept that email and change it saying you deserve a $10. someone would have to copy this file from your computer.certco.
htm Xcert: www.valicert.com/ Setco: www. Service Thawte Verisign Server Certificates Initial Certificate Server $125 $349 $249 Server Certificate $100 Renewal Personal Certificates Class 1 Class 2 Free $20 $14.litronic.html Litronic: www.equifax.com/ Entrust: www.95 $14.setco.rsasecurity.cybertrust.thawte.com/ Pricing Prices range widely for digital certificates.Entegrity: www.com/cybertrust/index.com/ RSA Security: www.com/ Equifax http://www.verisign.org/ Thawte: www.entrust.com/ Valicert: www.entegrity.gte.xcert.com/client/class1MS.com/ GTE CyberTrust: www.95 Developer Certificates Initial Certificate Renewal $200 $100 $400 $400 .com/ Verisign: digitalid. The following is a comparison of Thawte and Verisign prices.
web server. Efficient and practicable methods are still needed and a topic of today's research. Personal certificates are primarily used for e-mail. the digital certificate remains the most promising solution for ubiquitous electronic authentication and the leading applications are delivering the ability to use it today.Conclusion Digital Certificates provide a way to authenticate communication on the Internet. and developer certificates. A main requirement for . In addition. Second. That said. not all applications recognize the same endorsing entities. there is no clear need perceived by technical documentation professionals to use digital certificates. Thus. The knowledge about different revocation methods is not very widely spread. exceed the capital investment. So. if popular novelist Stephen King is making it work. as stated at the beginning. it is difficult to isolate a case of document theft or compromise that would only be mitigated by certificates and not by other security measures such as stronger password protection. encryption is a mystery to many of us. Finally. the capital outlay is significant and needs to be justified. Put all these factors together and the response rate is not surprising. although it is new to many of us. This application incompatibility often results in false warnings that a digital certificate may not be valid even though it is valid. It easily costs over $10. chances are you will have a certificate of your own tucked securely away in your PC in the coming years. Universal acceptance and widespread use will depend on the industry’s ability to communicate in understandable terms and the development of a true standard Four factors emerge from the ten survey responses as possible reasons for the lagging acceptance of certificates by technical documentation departments: • • • • cost compatibility perceived need familiarity First. They come in three flavors: personal. A larger survey reaching more industries and writers is needed for conclusive results. there are staff training and ongoing system maintenance costs that. in most cases. and defeat the fundamental purpose of the system.000 to deploy an adequately configured digital certificate system. while there are standards for digital certificate formatting and content. Third.
509 certificates.new developments and new ideas is that they can easily be integrated in widespreadly used X. .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.