Public Key

Public Key

Digital Certificates
Public key certificate
(Redirected from Digital certificate)



In cryptography, a public key certificate (or identity certificate ) is a certificate which uses a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.

Use

Certificates can be used for the large-scale use of public-key cryptography. Securely exchanging secret keys amongst users becomes impractical to the point of effective impossibility for anything other than quite small networks. Public key cryptography provides a way to avoid this problem. In principle, if Alice wants others to be able to send her secret messages, she need only publish her public key. Anyone possessing it can then send her secure information. Unfortunately, David could publish a different public key (for which he knows the related private key) claiming that it is Alice's public key. In so doing, David could intercept and read at least some of the messages meant for Alice. But if Alice builds her public key into a certificate and has it digitally signed by a trusted third party (Trent), anyone who trusts Trent can merely check the certificate to see whether Trent thinks the embedded public key is Alice's. In typical Public-key Infrastructures (PKIs), Trent will be a CA, who is trusted by all participants. In a web of trust, Trent can be any user, and whether to trust that user's attestation that a particular public key belongs to Alice will be up to the person wishing to send a message to Alice.

In large-scale deployments, Alice may not be familiar with Bob's certificate authority (perhaps they each have a different CA — if both use employer CAs, different employers would produce this result), so Bob's certificate may also include his CA's public key signed by a "higher level" CA2, which might be recognized by Alice. This process leads in general to a hierarchy of certificates, and to even more complex trust relationships. Public key infrastructure refers, mostly, to the software that manages certificates in a large-scale setting. In X.509 PKI systems, the hierarchy of certificates is always a top-down tree, with a root certificate at the top, representing a CA that is 'so central' to the scheme that it does not need to be authenticated by some trusted third party.

A certificate may be revoked if it is discovered that its related private key has been compromised, or if the relationship (between an entity and a public key) embedded in the certificate is discovered to be incorrect or has changed; this might occur, for example, if a person changes jobs or names. A revocation will likely be a rare occurrence, but the possibility means that when a certificate is trusted, the user should always check its validity. This can be done by comparing it against a certificate revocation list (CRL) — a list of revoked or cancelled certificates. Ensuring that such a list is up-to-date and accurate is a core function in a centralized PKI, one which requires both staff and budget and one which is therefore sometimes not properly done. To be effective, it must be readily available to any who needs it whenever it is needed and must be updated frequently. The other way to check a certificate validity is to query the certificate authority using the Online Certificate Status Protocol (OCSP) to know the status of a specific certificate.

Both of these methods appear to be on the verge of being supplanted by XKMS. This new standard, however, is yet to see widespread implementation.

A certificate typically includes:


The public key being signed.
A name, which can refer to a person, a computer or an organization.
A validity period.
The location (URL) of a revocation center.

The most common certificate standard is the ITU-TX.509. X.509 is being adapted to the Internet by the IETFPKIXworking group.

See also


OpenPGP
Secure Sockets Layer, Transport Layer Security
Authorization certificate

External links


Adacom: Certificate classes explained
Digital Certificates USA Research
Obtain a free Digital Certificate
Dartmouth College PKI Lab - Project to develop inter-institutional applications. Includes related links, research information and results, and contact information.
Digital Signature Links - Provide links to digital signature legislation, infrastructure initiatives, standards, certification authorities, and trusted third parties. (Juan Avellan)
FTX Online Originals - FTX Online Originals, a Compass Technology Management product, allows you to e-mail sensitive documents securely to a Trusted Third Party and receive a digital signature from tne recipient as proof of delivery.
NIST PKI Program - An initiative to coordinate industry and technical groups developing PKI technology to foster interoperability of PKI products and projects. (National Institute of standards and Technology)
The Open Source PKI Book - An attempt to register the available open source concerning PKI, and useful technical background info.
The PKI Page - This page contains links to various sites and documents related to Public Key Infrastructure (PKI) material, especially links certificate authorities (CAs). (Stefan Kelm)
PKIForum.com - PKI news, information and education service focused on public key infrastructure, related technology, social and business issues.
Public Key Infrastructure - Standards developed by the Open Group regarding PKI.
Query Certificate Managers - Managing authenticated transmission of sensitive information over an insecure network.
RSA Laboratories - Public Key Cryptography Standards - PKCS Standards
Digital Signature Guidelines Tutorial - Discusses the legal implications of digital signature usage. (American Bar Association)
Digital Signature Resource Center - A collection of links to digital signature related laws, policy development, e-commerce, and cryptography resources. (Internet Law and Policy Forum)
Electronic Commerce and Internet Law Resource Center - A library of information regarding the legal issues surrounding cyberspace. (Perkins Coie llp)
Legalarchiver.org: SAFE Act - Complete text of the United States "Security and Freedom Through Encryption (SAFE) Act", which relaxed export controls on encryption and prohibited mandatory key escrow.
PKI Law - A PKI information exchange emphasizing emerging legal issues, to hasten the implementation of Public Key Infrastructure throughout the world
DEDICA Project - A project funded by the European Union to research the use of PKI security with UN/EDIFACT for EDI. SSL - TLS Compare SSL Certificates - Compares Certificate Authority products and prices. Provides help for generating signing requests, help installing signed certificates, and answers to frequently asked questions.
Dan Kegel's Web Hostel - Information on SSL acceleration hardware and collection of links to sites for APIs that implement SSL/TLS.
Netscape Certificate Specifications - The documents referenced below describe the certificate issuing, key generation, and certificates extensions supported in various Netscape products. (Netscape)
SSL Certificates Guide - A free SSL certificate guide to web and ecommerce security, a comparison chart of SSL vendors and what they offer.
Transport Layer Security Charter - The IETF Working Group is responsible for developing the TLS Protocol which is intended to replace SSL. Analysis of the SSL 3.0 Protocol - This note gives a detailed technical analysis of the cryptographic strength of the SSL 3.0 protocol. A number of minor flaws in the protocol and several new active attacks on SSL are presented. [Acrobat] (D. Wagner and B. Schneier)
HTTP Over TLS - Document providing information and guidelines on using TLS to secure HTTP connections.
RFC 2246 - The TLS Protocol Version 1.0 - This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol.
SMTP Service Extension for Secure SMTP over TLS - Document describing the negotiating and upgrading plain socket connection to secure socket connection.
SSL & TLS - RFC's, drafts, and relevant documents of SSL and TLS in Japanese and English
SSL encryption check - Access this frameset to test if your browser supports TLS/SSL, and for a report of which cipher and key length is used.
The SSL Protocol Version 3.0 - The SSL protocol specification. (Netscape)
SSL Version 2 Protocol Specification - Superseded by SSL Version 3 and TLS, but implemented by most browsers and secure servers. SSL Libraries Claymore PureTLS - Java SSL Implementation. Supports SSLv2, SSLv3, TLSv1. Uses Crypto library from Cryptix. [Open Source]
GNU TLS - An Open Source implementation of TLS 1.0 Internet protocol as described in RFC2246. [GPL]
Java Secure Socket Extension - Sun's official extension for SSL communication in Java. API allows third party library being used as a provider.
MatrixSSL - Open Source Embedded SSL - MatrixSSL is an open source embedded SSL implementation under 50K. It is designed for small footprint devices and applications requiring low connection overhead.
Network Security Services libraries - NSS implements SSL v2 and v3, TLS, PKCS#5, PKCS#7, PKCS#11, PKCS#12, S/MIME, X.509v3 certificates, and other security standards. These libraries are used by Mozilla / Netscape Communicator and server products. [Open Source]
Open SSL - Collaborative effort to develop a full-featured, and Open Source toolkit implementing the secure sockets layer (SSL v2/v3) and transport layer security (TLS v1) protocols.
RSA BSAFE - It includes everything needed for delivering SSL-enabled applications developed in C, C++, or Java. It is not subject to US export control. [Commercial] (RSA Data Security)
SecureBlackbox - Delphi/Kylix component and ActiveX/DLL library [Commercial]
SSL Library - Java Library. Implements SSLv3 and backward compatible SSLv2. [Open Source]
Yet Another SSL - The yaSSL software package is an open source, dual licensed implementation of SSL. It includes SSL client libraries and an SSL server implementation. Apache-SSL - An implementation of Apache with SSL capabilities. It is based on SSLeay/OpenSSL. It is not subject to US export control. [Free / Open Source]
Apache+SSL Win32 HOWTO - Setting up Apache with mod_ssl on Windows NT and 98 to provide secure HTTP services.
Covalent Technologies, Inc. - Offers Covalent Enterprise Ready Server with 128-bit SSL and other enhancements to the Apache 2.0 Web server in the areas of security, reliability, and manageability.
mod_ssl: The Apache Interface to OpenSSL - The module provides strong cryptography for the Apache 1.3 webserver via SSL and TLS protocols, it was developed using OpenSSL, which is based on SSLeay. [Free / Open Source] (Ralf Engelschall, Ben Laurie)
secure server sitemaker1.com - If you are taking credit/debit cards, you will need a secure ordering option on your web site. Our secure server service offers a totally safe way for your clients to send their credit/debit card details.
SSLWrap - An inetd service (for Unix operating systems) that sits over POP3, IMAP, and SMTP, and encrypts data using SSL.
Stunnel - A universal SSL tunnel. It is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. [Free / Open Source]
Stunnel FAQ - Frequently Asked Questions - Where to get the software, how to install and run it, and troubleshooting tips.

Apache and Secure Transactions - It explains what SSL is, why Apache does not have it built in, and why it is such a complex issue. (Apache Week) (September 1, 1998) SSL Forum - A forum for discussing SSL-TLS topics.
SSL Security Forum - A forum and discussion board for beginners and advanced user to discuss and exchange views on web and wireless security, SSL VPN, SSL acelerator and load balancing.
SSL-Talk FAQ - Secure Sockets Layer Discussion List FAQ
public key Certificado 2018