Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



Certificates and Certification Systems

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

A certificate is a digital record that holds information about a person or organization, and usually the public key for that person or organization. In the words of Ron Rivest, one of the cofounders of RSA Data Security, "Digital certificates are your Internet calling card." They are personal digital IDs that can be used for a variety of security uses.

A certificate can be thought of as an envelope that holds public keys used for encryption and authentication. Certificates are issued by CAs (Certificate Authorities), which are public entities that validate the authenticity of the keys and the information attached to them. Basically, certificates provide a way for people and systems to exchange keys in a reliable way. Once exchanged, keys are used to encrypt and decrypt messages.

Assume Bob wants to send a message to Alice, but Alice needs proof that the message is actually from Bob. Here's how the process works:

  1. Bob generates a pair of keys using a special utility. These keys are unique and linked to one another. Data encrypted by one key may only be decrypted by the other.

  2. Bob keeps the private key and makes the public key available for public use.

  3. When Bob is ready to send a message to Alice, he encrypts it with his private key.

  4. Upon receipt, Alice obtains Bob's public key, which is verifiable via the certificate and issueing certificate authority. The ability to decrypt the message with Bob's public key proves the message is from Bob.

Assume Bob wants to send the message in a private encrypted form to Alice. To do so, he can obtain Alice's public key, encrypt the message, then forward it to Alice. Alice decrypts the message with her private key-- the only key that can decrypt the message.

The advantage of a CA is that it provides a way for Bob and Alice to exchange public keys in a secure and reliable way. If a key is in a CA-issued certificate, the key can be considered the authentic key of the person to which the certificate was issued.

Certificates are issued by certification authorities (CAs) such as Verisign or even the U.S. Post Office. Once issued, a certificate is usually made available to the public. Basically, by issuing a certificate, the CA is saying "We have verified that the information in this certificate about this person or organization is true and that the public key included in the certificate is a valid public key for the person or organization."

A standard certificate format (layout, structure) is necessary so that certificates can be used anywhere around the world. The most accepted certificate standard is X.509 version 3 as defined by the ISO/IEC. The certificate layout consists of information fields such as the X.509 version number, serial number, issuing CA, expiration period, holder's name, holder's public key, and optional information that may be customized to fit the application. See "X.509 Certificates."

The framework for managing keys (issuance, distribution, storage, revocation, etc.) is handled by a system that includes servers, server software, policies, and procedures. This combination is called PKI (public-key infrastructure). An important feature of a PKI system is to allow key distribution and a path of trust for users and organizations who do not know or necessarily trust each other (i.g., electronic commerce on the Internet). Refer to "PKI (Public-Key Infrastructure)" for more information.

The IETF has two working groups that are working on PKI-related topics. The PKIX (Public-Key Infrastructure) Working Group is developing Internet standards needed to support an X.509-based PKI. The SPKI (Simple Public-Key Infrastructure) Working Group is committed to developing key certificate formats and associated protocols that are simple to understand, implement, and use. SPKI is designed to support security for Internet applications, including IPSEC protocols, encrypted electronic mail and Web documents, payment protocols, and other applications with support for a range of trust models. The following Internet RFCs are useful for continuing with this topic.

  • RFC 2459 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile, January 1999)

  • RFC 2510 (Internet X.509 Public Key Infrastructure Certificate Management Protocols, March 1999)

  • RFC 2511 (Internet X.509 Certificate Request Message Format, March 1999)

  • RFC 2527 (Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, March 1999)

  • RFC 2692 (SPKI Requirements, September 1999)

  • RFC 2693 (SPKI Certificate Theory, September 1999)

This topic is covered in more detail in "The Encyclopedia of Networking and Telecommunications" with a discussion of the following:

  • Certificate use for identification, access control, and security clearances
  • Certificate use in online buying transactions, including SET (Secure Electronic Transaction) schemes
  • Certificate creation
  • Certificate validation procedures
  • More about certificate authorities and public-key infrastructure

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.