Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Jonathan Neve
September 17, 2004, 10:16 am
rate this thread
I'm new to SSL in general, and mod_ssl and OpenSSL in particular!
I just had one basic question: what exactly is the use of a
Certificate Authority? As I understand it, it's basically just a
company that is officially recognized, and that officially recognized
your certificate as truely corresponding to yourself... Is that right?
If so, I can understand (somewhat), that someone performing a lot of
online e-commerce might be willing to pay (a significant amount) to
get this official recognition. But what if I merely want to send
confidential data to authorized users, over the internet... is there
anything that would make this _technically_ less secure than using an
official certificate authority? If it's just a matter of trust, then
it's no problem, but is there any technical reason why this is not
advisable (the authorized people who to whom we want to send
confidential data are part of the company, and they are relatively
few; they are _not_ mere unknown surfers)?
BTW, if this is not the right group, please tell me where to post!
And SSL is not SSH, so the post os off-topic here. Any followups to
this message (and a copy of this message) are directed to
Yes, the CA's sign the public keys they choose to trust with their own,
As the keys are answer to the problem of retaining at least some level
of confidnetiality in exchanging information over an untrusted channel,
the problem is how can you establish trust in a certain key when you
receive it through perhaps the same untrusted channel?
To send a confidential message to someone, you need a copy of their public
key. So, ok, you somehow receive (in e-mail?) a copy of a public key
purpoting to be from one of your correspondents. How can you trust that
this key is a genuine one, that there is no malicious third party
creating a fake key purpoting to be from your correspondent?
One solution is that you have some other channel that you trust, through
which you transport some identification information about the public
key, so that you can trust that the key is a genuine one (supposing
that you have initial trust that the correspondent is who they claim
to be). Or, if you have this kind of trusted channel (f.ex. you can
arrange to meet your correspondent in person), you could also receive
the public key itself through this channel.
The other solution is that there's a trusted third party who can add
their signatures to keys they consider trsutworthy (and in process
they also verify to some level the purpoted identity of the key owner).
The verification of these signatures in public keys naturally require
the availability and trustworthiness of the public keys of these trusted
third parties (certificate authorities). As the CA public keys are mostly
distributed along with operating systems/browsers, this places the trust
on the software distribution channels. So, when you download a browser
update containing upgrade to the CA public key collection on your machine,
take a moment to think whether you can trust that these CA keys were not
maliciously injected to the distribution.
So, the value of CA's is that they to some level verify the identity
that is bound to the key (or, verify that the identity of the requester
of the key actually matches to the identity bound to the key). The other
value is that (if you can trust your collection of CA keys) the CA
signatures allow you to use untrusted channels to deliver the public
keys to authenticate/encrypt your messages.
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
Thank you for the information u provided about certificates an CAs.
Do u know of some place where i can find more information on this
Specifically, i would like to..
1. understand the the format of a digital certificate.
2. know what exactly the CA does while signing my certificate.
3. what do i need to do in order to sign other people's certificates.
i know that, my public key not being preinstalled in any system, it
would not be of much use. but still, can i do it?
p.s: i am not talking about self signed certificates here.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum