Digital Certificates | Upgrading and Repairing Networks (5th Edition)

Digital certificates are used to bind a person's name (or an identity) to a public key. Certificates, then, must come from a trusted authority. The certificate itself is determined to be valid (that is, it was issued by the certificate authority [CA] it claims to represent) by a digital signature. Because the public key of a CA can be known to anyone , it is a simple computational matter to use the CA's public key to determine that the digital signature is valid. After this is done, the certificate itself can be assumed to contain a valid identity (a user , a corporation, or another entity) associated with a public key. Using a digital certificate, you then can obtain the public key for a person and use it to encrypt data to be sent to that person, who then can use his own private key to read your message.

CAs can be trusted companies on the Internet, or you can act as your own CA in your company. Included with Windows 2000 Advanced Server and the family of Windows 2003 servers, for example, is Microsoft's Certificate Services, which can be used within a company that wants to manage its own digital certificates. If you have branch offices and want to use digital certificates to certify public keys used for communicating over the Internet, you can set up your own certificate servers in your enterprise. Or you can use a commercial company (such as VeriSign) and obtain certificates from a third party.

In practice, it also is possible for a hierarchy of certificate servers to be set up, with a single root server being the most trusted certificate server in your enterprise. Then, child certificate servers are created, which can be validated by the end user because the child certificate server itself has a certificate from the root server (or another server in the hierarchy leading back to the root server) that validates its certificate. It's all a game of trust, however. If the secret key of the root server's key pair becomes compromised, it's possible to impersonate the certificate server and all security is lost. Most certificates also are issued with an expiration date, which can be used to ensure that new certificates, created using a new key pair, are in use.

For this reason, should you choose to operate your own certificate server(s) in your network, you need to take extreme security precautions to safeguard the private key. Likewise, if you use a third-party commercial certificate service, you need to read the policy of that company to determine how it verifies the identity of the end users that it issues certificates to. For example, a CA might simply verify the email address of the requestor and issue a certificate. For a software publisher, the CA might conduct some kind of background check and require further evidence before it issues certificates to the company. Before you decide to use a commercial service for issuing digital certificates, be sure you investigate the company's policies for both issuing and revoking certificates.

Note

CAs on the Internet have become numerous in the past few years . If you want to learn more about how commercial certificate issuers operate, visit the Web sites of some of the better-known issuers :

www.verisign.com/

www.rsasecurity.com/

www. entrust .com/

Be sure to read their policies before you decide to use a commercial CA. Find out what mechanisms they use to verify the identity of the person or entity they issue certificates to. Find out what they do to support revoking certificates that have become compromised, and whether or not they issue certificates that expire after a period of time.

If you'd like to experiment with personal certificates, Thawte (www.thawte.com) offers free personal email certificates from its Web site.