|
A digital certificate can act
as an electronic "credit card" that establishes your
credentials when doing business or other transactions on the
Web. It is issued by a trusted certificate authority (CA).
It contains your name, a serial number, expiration dates, a
copy of the certificate holder's public key (used for
encrypting messages and digital signatures), and the digital
signature of the certificate-issuing authority so that a
recipient can verify that the certificate is real. Most of
today's digital certificates conform to a standard, X.509.
Digital certificates can be kept in registries so that
authenticating users can look up other users' public keys. A
digital certificate often comes as an attachment to an
electronic message and is used for security purposes. The
most common use of a digital certificate is to verify that a
user sending a message is who he or she claims to be, and to
provide the receiver with the means to encode a reply.
An individual wishing to
send an encrypted message for example applies for a digital
certificate from a Certificate Authority (CA). The CA issues
an encrypted digital certificate containing the applicant's
public key and a variety of other identification
information. The CA makes its own public key readily
available through print publicity or perhaps on the
Internet. The recipient of an encrypted message uses the
CA's public key to decode the digital certificate attached
to the message, verifies it as issued by the CA and then
obtains the sender's public key and identification
information held within the certificate. With this
information, the recipient can then send an encrypted reply.
The certificate authority,
or CA will specify the level of trust that can be accorded
to the certificate. For example, a simple certificate might
only affirm that the user's name is indeed associated with
this key. A higher level might affirm the owner's age etc.
In the event of a sudden change in the user's status, a
certificate can be revoked. The idea is that an organization
to whom a certificate has been tendered as part of a
transaction will verify that certificate with the
appropriate CA to make sure it has not been revoked or that
the user's status has not changed since the certificate was
issued. How merchants can quickly contact the CA for such
verification is the problem the PKI is attempting to solve.
Not all digital certificates rely on an external CA for
issuance or validation. Large companies might issue their
own certificates to their employees, in which they would
specify access privileges, signing limits, and other
information in addition to the public encryption keys.
Certificates of this type are stored in an enterprise
directory, where they are generally accessed using the
lightweight directory-access protocol (LDAP).
Digital certificates can
also be used to ensure the integrity of stored data, such as
a user profile on a smart card. The certificate is then
validated each time the user data is accessed and prior to
retrieving the information. |
