Certificate Authorities

The certificate mechanism relies on a series of trusted source from which certificates can be obtained, these are known as Certificate Authorities.

(The following taken from RFC1507)

A certification authority is a principal trusted to act as an introduction service. Each principal goes to the certification authority, presents its public key, and proves it has a particular name (the exact mechanisms for this vary with the type of principal and the level of security to be provided). The CA then creates a "certificate" which is a message containing the name and public key of the principal, an expiration date, and bookkeeping information signed by the CA's private key. All "subscribers" to a particular CA can then be authenticated to one another by presenting their certificates and proving knowledge of the corresponding secret. CAs need only act when new principals are being named and new private keys created, so that can be maintained under tight physical security.

In practise this means that you apply to the CA for a certificate, they will then check that you are who you say you are. The exact amount of checking varies depending on how trustworthy the certificate needs to be, some bodies for example give out free trial certificates - but these certificates are clearly marked as such. At the other end of the scale commerce class certificates from Verisign are expensive (around £300 per certificate) and involve detailed checking of your company and its security. This is the level of security the banks and similar institutions will require when proving their identity to users intending to carry out financial transactions with them using these authentication mechanisms.

[ Contents ] [ DNS ] [ p6spy ] [ Weblogic Tuning ] [ Cactus ] [ The Grinder ] [ Word to PDF ]