Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I posted a question yesterday and had an overwhelming response that was
very helpful.

As for my next question, can you please help me understand the topic of
PKI. I understand that it is based on asymmetric key exchange, with
Public and private keys. The part that throws me off is why and how the
CA is involved.

Does the public key stay with the user and then get verified at a CA or
RA somewhere? And what are the differences between the CA nad RA? When
I go to a website that needs a certificate I'm getting a certificate
from that site and having it verified somewhere?? Or is this alreay
done somehow. How do you get a public key from a CA?

Thank you in advance



Quoted text here. Click to load it

RA is registration authority ... which is involved in registering the
public key ... this is sort of like registering a pin or a password
.... like when you open an account with an ISP and register a password
for authentication purposes in association with using that account.  a
public key is similarly registered and used for performing
authentication operations in conjunction with validating digital
signatures. recent mention of registration authority Another entry in the internet
security hall of shame

CA is certification authority ... which is involved in certifying
information that is to be associated with a public key.

a certification authority typically issues a digital certificate
which is a representation of the certification process done
by the certification authority.

PKI considered harmful

more PKI considered harmful

straight forward used of public key and digital signatures for
authentication w/o requiring PKI, certification authorities and digital

the pervasive authentication infrastructure in the world tends
to be radius. various comments about using public key registration
for radius digital signature for authentication operaton (w/o requiring
PKI, certification authorities, and/or digital certificates)

another widely used and pervasive authentication infrastructure is
kerberos ... some number of collected posts on using digital signatures
in kerberos environments (again w/o needing PKI, certification authorities,
and/or digital certificates)

related series of recent posts Another entry in the internet security
hall of shame Is there any future for smartcards? simple (& secure??) PW-based web login simple (& secure??) PW-based web login

Anne & Lynn Wheeler | /


for another popular public-key, non-PKI, certificateless based

where the public key is registered in lieu of pin/password ... besides

and kerberos

see also ssh ... there is the newsgroup and numerous
references that can be found using search engine / /

for ietf, rfc references ... see

in the "RFCs listed by" section, click on "Term (term->RFC#)"
and scroll down to "kerberos"

 see also authentication , security
 4121 4120 3962 3961 3244 3129 2942 2712 2623 1964 1510 1411

.... and

remote authentication dial in user service  (RADIUS )
 see also authentication , network access server , network services
 4014 3580 3579 3576 3575 3162 2882 2869 2868 2867 2866 2865 2809
 2621 2620 2619 2618 2548 2139 2138 2059 2058

.... clicking on the RFC numbers, brings the RFC summary up in the
lower frame. clicking on the ".txt=" field in the summary, retrieves
the actual RFC.

for IETF standards related to digital certificates and PKI

ITU public key certificate  (X.509)
 see also International Telecommunications Union , public key
 4059 4055 4043 3820 3779 3739 3709 3647 3280 3279 3161 3039 3029
 2587  2585 2560 2559 2528 2527 2511 2510 2459 1424 1422 1114

public key infrastructure  (PKI)
 see also authentication , encryption , public key
 4108 4059 4056 4055 4051 4050 4043 4034 3874 3851 3820 3779 3778
 3770 3741 3739 3709 3653 3647 3562 3447 3379 3354 3335 3281 3280
 3279 3278 3275 3174 3163 3161 3156 3126 3125 3110 3076 3075 3039
 3029 2986 2985 2943 2931 2898 2847 2807 2803 2802 2797 2726 2693
 2692 2587 2585 2560 2559 2537 2536 2535 2528 2527 2511 2510 2459
 2440 2437 2404 2403 2385 2315 2314 2313 2311 2202 2154 2137 2085
 2082 2065 2025 2015 1991 1864 1852 1828 1810 1751 1544 1424 1423
 1422 1421 1321 1320 1319 1186 1115 1114 1113 1040 989

Anne & Lynn Wheeler | /


Thank you all so much!!!


Quoted text here. Click to load it

Not in every PKI there is a CA.

The problem is, how can you trust that the public key you're getting
_really_ is the public key of the person you want to communicate with?

One solution is to have a CA, an organization you trust in, you have
received the key from and proofed it very carefully, and which is signing
then any public key / owner pair, so you can test, if the CA has checked
this before you're trusting in.

The CAs are offering this checking as a sevice. For example, SSL and
S/MIME are working like this.

The second option for a PKI is the idea of a web of trust. That means,
that everbody are checking that themselves, but you also can trust in
the checks already done of a person you're trusting in - and in the
checks, persons have done this person is trusting in.

This idea has the advantage, that no central point like a CA is needed,
that - once compromized or not trustworthy any more - will make anything

It's like peer-to-peer trusting ;-) For example, PGP, OpenPGP and GNU-PG
are working this way.

Quoted text here. Click to load it

Some people are separating the service of managing certificates and
registring object/key pairs. In this sight, a CA is managing certificates,
and the RA is registring object/key pairs by using such certificates.

See also:

You could also read RFC 1875.

"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
                                    Harald Schmidt zum "Weltjugendtag"

Site Timeline