Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Part I: Concepts > Certificates and Certification - Pg. 47

47 Chapter 6. Certificates and Certification As Chapter 2, "Public-Key Cryptography," discussed, public-key cryptography involves the use of public/private key pairs to facilitate digital signature and key management services. The fundamen- tal principle that enables public-key technology to scale is the fact that the public component of the public/private key pair may be distributed freely among the entities that need the public component to use the underlying security services. (See Chapter 4, "Core PKI Services: Authentication, Integ- rity, and Confidentiality," and Chapter 5, "PKI-Enabled Services," for more information regarding security services enabled through the use of a PKI.) However, distribution of the public component without some form of integrity protection would defeat the very foundation for these security services. Thus, the public-key component must be protected --but in such a way that it will not impact the overall scalability that public-key cryptography tech- niques offer. Thus, a data integrity mechanism is required to ensure that the public key (and any other information associated with that public key) is not modified without detection. However, a data integrity mech- anism alone is not sufficient to guarantee that the public key belongs to the claimed owner. A mech- anism that binds the public key to the claimed owner in a trustworthy manner is also required. In the end, the goal is to provide a single mechanism by which a relying party (that is, the "user" of the certificate as defined in RFC2527) is assured that · The integrity of the public key (and any other associated information) is sound. · The public key (and any other associated information) has been bound to the claimed owner in a trusted manner. The purpose of this chapter is to explain how using public-key certificates accomplishes this goal. Certificates Kohnfelder first introduced the concept of using a signed data structure or certificate to convey the public key to a relying party in his 1978 bachelor's thesis entitled "Towards a Practical Public-Key Cryptosystem" [Kohnfelder]. Thus, even two decades ago, it was recognized that a scalable and secure method (from an integrity perspective) would be required to convey the public keys to the parties that needed them. Simply stated, public-key certificates are used to bind an entity's name (and possibly additional attributes associated with that entity) with the corresponding public key. When discussing the concept of a "certificate," it is important to recognize that a number of different types of certificates exist, including · · · · X.509 Public-key certificates Simple Public Key Infrastructure (SPKI) certificates Pretty Good Privacy (PGP) certificates Attribute certificates