How does a digital certificate give you confidence ...?

Networking/Security Forums -> General Security Discussion

Author: turbomenLocation: Hong Kong PostPosted: Sat Nov 13, 2010 12:29 am    Post subject: How does a digital certificate give you confidence ...?
    ----
How does a digital certificate give you confidence while purchasing a book from Amazon.com?

What confidence does it give you? what is implied by the certificate?

I understand it is a question about 'Key Management' but I have only got the following stuff:

A CA is a "trusted organization"
CA's issue certificates to people / organizations that say "i vouch that this is who they say they are".

Could you please give me the solution?

Cheers,

Author: Dezaxa PostPosted: Mon Nov 15, 2010 3:26 pm    Post subject:
    ----
A digital certificate is an electronic document that associates an encryption key with the identity of a person or organisation. Its purpose is to establish trust between the owner of the key and other parties who are users of it, for example, between the owner of a website and the people who visit the site. It may also be used for code signing, user authentication, etc.

A digital certificate incorporates a digital signature, which is a cryptographic scheme for assuring the integrity and authenticity of the certificate. The certificate is said to be ‘signed’ by the owner of the signature. In some cases, this could be the same entity as the owner of the certificate (i.e. a self-signed certificate), or it could be a certificate authority, i.e. a trusted organisation specifically set up to issue certificates. The certificate authority’s role is to establish the identity of any entity requesting a signed certificate and to issue the certificate only after suitable verification. The user expresses their confidence in the certificate authority by installing its root certificate in their client software, e.g. in their web browser. In doing so, the user trusts every entity to whom that authority issues a certificate. The common web browsers are supplied with the root certificates of the main certificate authorities pre-installed, so in effect you are trusting the distributor of your web browser.

So, in your example, when you visit the secure pages on the amazon.com website, these are certified by a VeriSign class 3 extended validation certificate. Your browser has the VeriSign root certificate installed so it trusts this page and flags this to you, e.g. by colouring the address bar green. As a result, you can be confident that this really is Amazon and not some phishing website.

That said, there are some important limitations to the confidence that digital certificates can provide:
1. Not all certificate authorities are created equal, and some have a reputation for being too ready to issue certificates. Also, there are different classes of certificate, and the weakest type do nothing but verify the email address of the requesting party.
2. Certificates may not protect you from some kinds of pharming attack against a website.
3. Certificates may be defeated by some kinds of man-in-the-middle attack.
4. Certificates may be obtained fraudulently (this happened to Microsoft a few years ago), or they may be stolen (the recent Stuxnet worm features Windows drivers digitally signed with stolen certificates).

Sorry the answer is so long, but this is a complex subject. P.S. if I do all your assignments, do I pass the exam by proxy? Smile



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group