Site home page
Get alerts when Linktionary is updated
Book updates and addendums
Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)
Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!
Contribute to this site
Electronic licensing info
Certificates and Certification Systems
Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.
A certificate is a digital record that holds information about a person or organization, and usually the public key for that person or organization. In the words of Ron Rivest, one of the cofounders of RSA Data Security, "Digital certificates are your Internet calling card." They are personal digital IDs that can be used for a variety of security uses.
A certificate can be thought of as an envelope that holds public keys used for encryption and authentication. Certificates are issued by CAs (Certificate Authorities), which are public entities that validate the authenticity of the keys and the information attached to them. Basically, certificates provide a way for people and systems to exchange keys in a reliable way. Once exchanged, keys are used to encrypt and decrypt messages.Assume Bob wants to send a message to Alice, but Alice needs proof that the message is actually from Bob. Here's how the process works:
Assume Bob wants to send the message in a private encrypted form to Alice. To do so, he can obtain Alice's public key, encrypt the message, then forward it to Alice. Alice decrypts the message with her private key-- the only key that can decrypt the message.
The advantage of a CA is that it provides a way for Bob and Alice to exchange public keys in a secure and reliable way. If a key is in a CA-issued certificate, the key can be considered the authentic key of the person to which the certificate was issued.
Certificates are issued by certification authorities (CAs) such as Verisign or even the U.S. Post Office. Once issued, a certificate is usually made available to the public. Basically, by issuing a certificate, the CA is saying "We have verified that the information in this certificate about this person or organization is true and that the public key included in the certificate is a valid public key for the person or organization."
A standard certificate format (layout, structure) is necessary so that certificates can be used anywhere around the world. The most accepted certificate standard is X.509 version 3 as defined by the ISO/IEC. The certificate layout consists of information fields such as the X.509 version number, serial number, issuing CA, expiration period, holder's name, holder's public key, and optional information that may be customized to fit the application. See "X.509 Certificates."
The framework for managing keys (issuance, distribution, storage, revocation, etc.) is handled by a system that includes servers, server software, policies, and procedures. This combination is called PKI (public-key infrastructure). An important feature of a PKI system is to allow key distribution and a path of trust for users and organizations who do not know or necessarily trust each other (i.g., electronic commerce on the Internet). Refer to "PKI (Public-Key Infrastructure)" for more information.
The IETF has two working groups that are working on PKI-related topics. The PKIX (Public-Key Infrastructure) Working Group is developing Internet standards needed to support an X.509-based PKI. The SPKI (Simple Public-Key Infrastructure) Working Group is committed to developing key certificate formats and associated protocols that are simple to understand, implement, and use. SPKI is designed to support security for Internet applications, including IPSEC protocols, encrypted electronic mail and Web documents, payment protocols, and other applications with support for a range of trust models. The following Internet RFCs are useful for continuing with this topic.
This topic is covered in more detail in "The Encyclopedia of Networking and Telecommunications" with a discussion of the following:
Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.