4.2 Certificates

The process of creating an encrypted session using modern technologies is trivial. Most of us use them every day without knowing it, while checking our investment portfolios, banking, and online shopping. The real problem is knowing to whom you have just created an encrypted session. While public key cryptography was a great advancement in the field of cryptography, it still lacks from the ability to prove the other side is who they say they are. Knowing my name, you could create a public/private key pair that looks like it came from Cliff Riggs. If you sent it to someone who had never met me, they would have no way of knowing otherwise. The same problem can be applied to online commerce. Just because your browser has a little lock symbol in the corner, indicating that the session to the Web server is encrypted, how are you to know that you are actually encrypting information to your banker and not to a rogue Web server that is just masquerading as your banker?

To eliminate this uncertainty and provide some assurances, we need to introduce another technology, known broadly as certificates. We use certificates all the time. When I board an airplane, I establish my identity to the ticket agent, the pre-security security checkpoint, the security guard, the airline representative who checks my tickets before I board, the person who meets me on the concourse to check my ticket, the person who greets me getting on the plane, and the occasional random person who seems to be in some way associated with airport security through the use of my picture driver's license. This certificate is used to establish that the holder of the ticket is indeed none other than Cliff Riggs. This small army of people who check my ID do not know me personally, but they had sufficient faith that the state of Vermont had taken the appropriate steps to ensure my identity. These airline representatives may not trust me, but they do trust the entity that provided the certificate. In this case, the state of Vermont was acting as a certification authority (CA). When we apply this concept to cryptographic keys, we have the digital equivalent of a photo ID.