tcp-ip-protocal-stack Back Continue Web Security Summary Web Security Overview

Digital Certificates

Certificates solve the problem of how to authenticate the public key. What is to stop someone from pretending to be you and telling your bank that their own public key is yours? If your bank believes them, then the bank will now send data to “you” encrypted with “your” public key. The impostor will be able to read this without any problem; more alarming still is that the impostor can now sign things with his private key, and the bank will believe them to come from you because it can decrypt them with “your” public key.

In this particular case it is easy to see how a bank might require further proof before accepting that the given key belongs to the person. But what about in the wider context of Internet commerce? How is it possible to be sure that www.acme-travel.com is indeed Acme Travel Co before I send them my credit card details? Encrypting the details with the public key they supply only ensures that no-one else will be able to read them.

The answer lies in a Certificate, sometimes called a Digital ID. A certificate is a structure which contains the distinguished name (e.g. a legal name such as Acme Travel Co) and the public key of its owner. This structure is then signed by a Certificate Authority (CA) using its own private key. If you have the public key of the CA then you can verify that they signed the certificate, and if you trust them you can now believe the person who has the certificate is who he says he is.

This still does not eliminate the problem of obtaining trust-worthy public keys: you still need to be sure of the public key for the CA. However, the problem is now substantially reduced; you just need a few keys for the CAs, rather than the public keys of everyone with whom you might ever do business. In practice, browsers such as Netscape and Internet Explorer have the public keys of reputable CAs built into them, so obtaining the keys is not normally a problem for the end user. Of course then you have to worry about whether or not this is a genuine unaltered copy of the browser, or if someone somewhere might have modified it....

Contents ] DNS ] p6spy ] Weblogic Tuning ] Cactus ] The Grinder ] Word to PDF ]

©1994-2006 All text and images copyright: www.abcseo.com; last updated: