Certificate Authority
Certificate Authority or Certification Authority (CA) is an entity, which is core to many PKI (Public Key Infrastructure) schemes, whose purpose is to issue digital certificates to use by other parties. It exemplifies a trusted third party. Some certification authorities may charge a fee for their service while some other CAs are free. It is also not uncommon for government and institutions to have their own CAs.
More about Issuing a Certificate
The certification authority issues a Public Key Certificate (PKC), which attests that the public key embedded in it indeed belongs to a particular person, server, organization or any other entity as said in the certificate. In such schemes, the obligation or duty of CAs is to verify the credentials of the applicants before issuing the certificate so that the users can trust the information in the CA certificates of a particular entity without any second thoughts.
But this model is not fool proof, at least in a theoretical point of view. For example, if a person (say A) could manage to get a certification authority to issue a false certificate tying another person (say B) to a wrong public key, whose corresponding private key is available to A, then this could lead to some serious security problems. That is, if a third person (say C) eventually obtains and uses the public key in this certificate, then with the private key, it is possible for A to break into the security contours of C’s communication. In such a way, on a practical level, C’s messages could be decrypted and the person could be duped to accept forged signatures.
Security
As mentioned above, while the correctness of a certificate is taken for granted, it is to be accepted that assuring the correctness of data presented by companies, person or programs seeking a certificate is rather difficult and has glaring loop holes. That is, it is not an impossible task for an applicant to dupe the certification authority. In order to plug these chinks in the armor, certification authorities usually use a combination of authentication techniques which include leveraging government bureaus, third parties databases and services, the payment infrastructure, and custom heuristics to analyze the trust worthiness of the applicant. In few enterprise systems, local types of authentication like Kerberos can be used to obtain the certificate, which in turn can be used by relying third parties. Notaries may be required in some cases to personally verify the party whose sign is being notarized.
The Twist
In large scale deployments, it is possible to come across a situation in which two entities may have different certificates issued by separate certification agencies, and both not being familiar with each other’s CA. In order to simplify this confusion, the certificate of each entity deliberately carries a public key of its certification authority, signed by another certification authority, assuming that the second CA might be recognized by the other party. Even though this does not guarantee a complete success, it may eventually lead to a hierarchy or mesh of certification authorities and certificates, which can be confusing to an extent.
|
|
Comments (1)
Leave a Reply
- Root Certificate
A Root Certificate is a self-signed certificate or an unsigned public key certificate which forms an important part of the PKI (public key infrastructure). The most common commercial type of root certificates is based on the ISO X.509 standard. Such a certificate (a X.509 certificate) usually carries the digital signature of a certification authority (CA), [...]...
- PKI Certificate
A PKI certificate, which stands for Public Key Infrastructure certificate, allows someone to combine their digital signature with a public key and something that identifies them, an example being their real life name. This certificate is used to allow computer users to show that they do own the public keys they claim to. In other [...]...
- Root Certificate Update
In most enterprise-level public key infrastructure systems, there is a dependence upon certificate chains to verify the identity of a party. When a Certificate Authority (CA) issues a certificate for any party, the legitimacy of that certificate authority must be verified. This is usually done by a higher certificate authority. This higher authority is part [...]...
- PKI Authorities
PKI Authorities consists of three different authorities that essentially make up a PKI system. These are the Registration Authority, Certification Authority and Certificate Directory. Registration Authority The jobs of the Registration Authority are to processes user requests, confirm their identities, and induct them into the user database. Certification Authority The tasks of a Certification Authority [...]...
- X.509
X.509 is an ITU-T (ITU Telecommunication Standardization Sector) standard for PKI (Public Key Infrastructure) in cryptography, which, amongst many other things, defines specific formats for PKC (Public Key Certificates) and the algorithm that verifies a given certificate path is valid under a give PKI (called the certification path validation algorithm). X.509 History X.509 began in [...]...
windows always complaints about certificate authorization of google and yahoo. How can I remove the complaints and get the certificates recognized properly.