10.5 Digital Signatures

Digital certificates are electronic versions of identity cards or passports, and the issuing process is similar. An approved body, called the certification authority, checks information about a developer and, when it is satisfied, will issue a digital certificate. This will contain information about the developer and the certification authority that issued the certificate. So who certi- fies the certification authority? Well, there is a hierarchy of authorities, often starting from a government level, that ensures that only trusted bodies are approved to issue certificates. Hierarchical information is often included as part of the certificate, again, endorsing its authority.

Digital certificates are used to sign code, documents, and controls so that the source of these items can instantly be verified and displayed to a user to establish a trust relationship.

Certificate integrity is ensured by standard technology called public-key cryptography. This uses a matched pair of keys called a private key and a public key.

Keys use a large value, which makes it unfeasible for existing technology to break a key using brute computational effort. Note the careful use of the word existing since never is a long time and previous unbreakable keys have been hacked following recent advances in computing power!

To reduce the chances of a hacker deriving a private key from its associated public key, the certificate authority will timestamp a key pair so that the keys will need to be replaced on a regular basis. Signatures applied while a certificate is active will last ad infinitum, but those applied after a certifi- cate expires will be invalid.