• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How does a digital certificate give you confidence ...?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
turbomen
Just Arrived
Just Arrived


Joined: 09 Nov 2010
Posts: 0
Location: Hong Kong

Offline

PostPosted: Sat Nov 13, 2010 12:29 am    Post subject: How does a digital certificate give you confidence ...? Reply with quote

How does a digital certificate give you confidence while purchasing a book from Amazon.com?

What confidence does it give you? what is implied by the certificate?

I understand it is a question about 'Key Management' but I have only got the following stuff:

A CA is a "trusted organization"
CA's issue certificates to people / organizations that say "i vouch that this is who they say they are".

Could you please give me the solution?

Cheers,
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Dezaxa
Forum Fanatic
Forum Fanatic


Joined: 22 Mar 2007
Posts: 16777214


Offline

PostPosted: Mon Nov 15, 2010 3:26 pm    Post subject: Reply with quote

A digital certificate is an electronic document that associates an encryption key with the identity of a person or organisation. Its purpose is to establish trust between the owner of the key and other parties who are users of it, for example, between the owner of a website and the people who visit the site. It may also be used for code signing, user authentication, etc.

A digital certificate incorporates a digital signature, which is a cryptographic scheme for assuring the integrity and authenticity of the certificate. The certificate is said to be ‘signed’ by the owner of the signature. In some cases, this could be the same entity as the owner of the certificate (i.e. a self-signed certificate), or it could be a certificate authority, i.e. a trusted organisation specifically set up to issue certificates. The certificate authority’s role is to establish the identity of any entity requesting a signed certificate and to issue the certificate only after suitable verification. The user expresses their confidence in the certificate authority by installing its root certificate in their client software, e.g. in their web browser. In doing so, the user trusts every entity to whom that authority issues a certificate. The common web browsers are supplied with the root certificates of the main certificate authorities pre-installed, so in effect you are trusting the distributor of your web browser.

So, in your example, when you visit the secure pages on the amazon.com website, these are certified by a VeriSign class 3 extended validation certificate. Your browser has the VeriSign root certificate installed so it trusts this page and flags this to you, e.g. by colouring the address bar green. As a result, you can be confident that this really is Amazon and not some phishing website.

That said, there are some important limitations to the confidence that digital certificates can provide:
1. Not all certificate authorities are created equal, and some have a reputation for being too ready to issue certificates. Also, there are different classes of certificate, and the weakest type do nothing but verify the email address of the requesting party.
2. Certificates may not protect you from some kinds of pharming attack against a website.
3. Certificates may be defeated by some kinds of man-in-the-middle attack.
4. Certificates may be obtained fraudulently (this happened to Microsoft a few years ago), or they may be stolen (the recent Stuxnet worm features Windows drivers digitally signed with stolen certificates).

Sorry the answer is so long, but this is a complex subject. P.S. if I do all your assignments, do I pass the exam by proxy? Smile
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register