A digital certificate is equivalent to an electronic ID card. It serves two purposes
- To establish the identity of the owner of the certificate
- To distribute the owner's public key
Certificates provide a way of authenticating users, referred to as authentication by trusted third parties. Instead of requiring each participant in an application to authenticate every user, third-party authentication relies on the use of certificates, electronic ID cards.
Certificates are issued by trusted parties, called certificate authorities (CA). These authorities can be commercial ventures or they can be local entities, depending on the requirements of your application. Regardless, the CA is trusted to adequately authenticate users before issuing certificates to them. Also, when a CA issues certificates, it digitally signs them. When a user presents a certificate, the recipient of the certificate validates it by using the digital signature.
If the digital signature validates the certificate, the certificate is known to be intact and authentic. Participants in an application need only to validate certificates; they do not need to authenticate users themselves. The fact that a user can present a valid certificate proves that the CA has authenticated the user. The descriptor trusted third-party indicates that the system relies on the trustworthiness of the CA.
What are digital certificates?
Digital certificates are primarily used to authenticate communication over the Internet. There are three categories of digital certificates. Web Server Certificates, Developer Certificates and Personal Certificates:
- Web Server Certificates: These are the electronic equivalent of a business license. It assures potential customers that the site they are visiting is a legitimate business.
- Developer Certificates: These certificates enable developers to sign software and macros and deliver them safely to customers over the Internet. The customer can be confident that the software or macros are legitimate.
- Personal Certificates: These certificates secures e-mail conversations and access to corporate web servers.
For simplicity purposes, this paper will focus primarily on Personal Digital Certificates, which are used primarily to authenticate e-mail communication. Personal certificates are like a driver’s license or a passport. They are both provided to you by a trusted source. When you show this as proof of identity to someone else, it gives them confidence they are dealing with the real you. For a company, certificates are similar to a business license in that they validate a business is legitimate.
If Sue sees a signed icon in an e-mail message she receives from Joe, she can be assured that the e-mail is actually from Joe. Personal digital certificates provide assurance that the person or entity sending the e-mail is who they say they are. Digital certificates allow one to have confidence that the person or company with whom they are communicating is indeed who they claim to be.
When used in combination with encryption (this ability comes with the certificate), certificates provide additional assurance that only the intended party can access the data and that the data will not be compromised en route. Digital certificates allow applications like e-mail, online trading, and credit card purchasing to be conducted in a secure environment.
The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message verifies the certificate using the certifying authority's public key and, now confident of the public key of the sender, verifies the message's signature. There may be two or more certificates enclosed with the message, forming a hierarchical certificate chain, wherein one certificate testifies to the authenticity of the previous certificate.
At the end of a certificate hierarchy is a top-level certifying authority, which is trusted without a certificate from any other certifying authority. The public key of the top-level certifying authority must be independently known, for example, by being widely published.