Dezaxa Forum Fanatic
Joined: 22 Mar 2007 Posts: 16777214
|
Posted: Mon Nov 15, 2010 3:26 pm Post subject: |
|
|
A digital certificate is an electronic document that associates an encryption key with the identity of a person or organisation. Its purpose is to establish trust between the owner of the key and other parties who are users of it, for example, between the owner of a website and the people who visit the site. It may also be used for code signing, user authentication, etc.
A digital certificate incorporates a digital signature, which is a cryptographic scheme for assuring the integrity and authenticity of the certificate. The certificate is said to be ‘signed’ by the owner of the signature. In some cases, this could be the same entity as the owner of the certificate (i.e. a self-signed certificate), or it could be a certificate authority, i.e. a trusted organisation specifically set up to issue certificates. The certificate authority’s role is to establish the identity of any entity requesting a signed certificate and to issue the certificate only after suitable verification. The user expresses their confidence in the certificate authority by installing its root certificate in their client software, e.g. in their web browser. In doing so, the user trusts every entity to whom that authority issues a certificate. The common web browsers are supplied with the root certificates of the main certificate authorities pre-installed, so in effect you are trusting the distributor of your web browser.
So, in your example, when you visit the secure pages on the amazon.com website, these are certified by a VeriSign class 3 extended validation certificate. Your browser has the VeriSign root certificate installed so it trusts this page and flags this to you, e.g. by colouring the address bar green. As a result, you can be confident that this really is Amazon and not some phishing website.
That said, there are some important limitations to the confidence that digital certificates can provide:
1. Not all certificate authorities are created equal, and some have a reputation for being too ready to issue certificates. Also, there are different classes of certificate, and the weakest type do nothing but verify the email address of the requesting party.
2. Certificates may not protect you from some kinds of pharming attack against a website.
3. Certificates may be defeated by some kinds of man-in-the-middle attack.
4. Certificates may be obtained fraudulently (this happened to Microsoft a few years ago), or they may be stolen (the recent Stuxnet worm features Windows drivers digitally signed with stolen certificates).
Sorry the answer is so long, but this is a complex subject. P.S. if I do all your assignments, do I pass the exam by proxy?
|
|