Introduction to Digital Certificates
Digital Certificates provide a means of proving your identity in electronic transactions, much like a driver license or a passport does in face-to-face interactions.
With a Digital Certificate, you can assure friends, business associates, and online services that the electronic information they receive from you are authentic.
This document introduces Digital Certificates and answers questions you might have about how Digital Certificates are used for information about the cryptography technologies used in Digital Certificates.
Digital certificates are the equivalent of a driver’s license, a marriage license, or any other form of identity.
The only difference is that a digital certificate is used in conjunction with a public key encryption system. Digital certificates are electronic files that simply work as an online passport.
Digital certificates are issued by a third party known as a Certification Authority such as VeriSign or Thawte.
These third party certificate authorities have the responsibility to confirm the identity of the certificate holder as well as provide assurance to the website visitors that the website is one that is trustworthy and capable of serving them in a trustworthy manner.
Digital certificates have two basic functions.
The first is to certify that the people, the website and the network resources such as servers and routers are reliable sources, in other words, who or what they claim to be.
The second function is to provide protection for the data exchanged from the visitor and the website from tampering or even theft, such as credit card information.
Who Uses Digital Certificates
Digital Certificates can be used for a variety of electronic transactions including e-mail, electronic commerce, groupware and electronic funds transfers.
Netscape’s popular Enterprise Server requires a Digital Certificate for each secure server.
For example, a customer shopping at an electronic mall run by Netscape’s server software requests the Digital Certificate of the server to authenticate the identity of the mall operator and the content provided by the merchant.
Without authenticating the server, the shopper should not trust the operator or merchant with sensitive information like a credit card number.
The Digital Certificate is instrumental in establishing a secure channel for communicating any sensitive information back to the mall operator Virtual malls, electronic banking, and other electronic services are becoming more commonplace, offering the convenience and flexibility of round-the-clock service direct from your home.
However, our concerns about privacy and security might be preventing you from taking advantage of this new medium for your personal business.
Encryption alone is not enough, as it provides no proof of the identity of the sender of the encrypted information. Without special safeguards, you risk being impersonated online.
Digital Certificates address this problem, providing an electronic means of verifying someone’s identity.
Used in conjunction with encryption, Digital Certificates provide a more complete security solution, assuring the identity of all parties involved in a transaction.
Similarly, a secure server must have its own Digital Certificate to assure users that the server is run by the organization it claims to be affiliated with and that the content provided is legitimate.
Types of Digital Certificate:-
- Identity Certificates
An Identity Certificate is one that contains a signature verification key combined with sufficient information to identify (hopefully uniquely) the key holder.
This type of certificate is much subtler than might first be imagined and will be considered in more detail later.
- Accreditation Certificates
This is a certificate that identifies the key holder as a member of a specified group or organization without necessarily identifying them.
For example, such a certificate could indicate that the key holder is a medical doctor or a lawyer.
In many circumstances, a particular signature is needed to authorize a transaction but the identity of the key holder is not relevant.
For example, pharmacists might need to ensure that medical prescriptions are signed by doctors but they do not need to know the specific identities of the doctors involved.
Here the certificate states in effect that the key holder, whoever they are, has permission to write medical prescriptions’.
Accreditation certificates can also be viewed as authorization (or permission) certificates.
It might be thought that a doctor’s key without identity would undermine the ability to audit the issue of medical prescriptions.
However, while such certificate might not contain key holder identity data, the certificate issuer will know this so such requirements can be met if necessary.
- Authorizations and Permission Certificates
In these forms of certificate, the certificate signing authority delegates some form of authority to the key being signed.
For example, a Bank will issue an authorization certificate to its customers saying ‘the key in this certificate can be used to authorize the withdrawal of money from account number 271828’.
In general, the owner of any resource that involves electronic access can use an authorization certificate to control access to it.
Other examples include control of access to secure computing facilities and to World Wide Web pages.
In banking an identity certificate might be used to set up an account but the authorization certificate for the account will not itself contain identity data.
To identify the owner of a certificate a bank will typically look up the link between account numbers and owners in its internal databases.
Placing such information in an authorization certificate is actually undesirable since it could expose the bank or its customers to additional risks.
The Parties to a Digital Certificate
In principle there are three different interests associated with a digital certificate:
- The Requesting Party
The party who needs the certificate and will offer it for use by others – they will generally provide some or all of the information it contains.
- The Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctness.
- The Verifying Party (or Parties)
They are Parties that validate the signature on the certificate and then rely on its contents for some purpose.
For example, a person – the requesting party –they might present paper documents giving proof of identity to a government agency – the issuing party – who will then provide an identity certificate that could then be used by a bank – the verifying party – when the requesting party opens a bank account.
The term ‘relying party’ is sometimes uses instead of ‘verifying party’ but this can be misleading since the real purpose is to identify a party who checks the certificate before relying on it.
In a credit card transaction many parties might handle a certificate and hence rely on it in some way but only a few of these might actually check the validity of the certificate.
Hence a ‘verifying party’ is a party that checks and then relies on the contents of a certificate, not just one that depends on it without checking its validity.
The actual parties involved in using a certificate will vary depending on the type of certificate.