Computerworld - This book excerpt is from Chapter 6 "Certificates and Certifications" of the newly released Understanding PKI, Second Edition: Concepts, Standards, and Deployment Considerations. It is posted with permission from Addison-Wesley Professional.
As we discussed in Chapter 2, public-key cryptography involves the use of public/private-key pairs to facilitate digital signature and key management services. The fundamental principle that enables public-key technology to scale is the fact that the public component of the public/private-key pair may be distributed freely among the entities that need the public component to use the underlying security services. (See Chapters 4 and 5 for more information regarding security services enabled through the use of a PKI.)
However, distribution of the public component without some form of integrity protection would defeat the very foundation for these security services. Thus, the public-key component must be protected in such a way that it will not impact the overall scalability that public-key cryptography techniques offer. Further, we need to bind certain attributes with the public key.
Thus, a data integrity mechanism is required to ensure that the public key (and any other information associated with that public key) is not modified without detection. However, a data integrity mechanism alone is not sufficient to guarantee that the public key belongs to the claimed owner. A mechanism that binds the public key to the claimed owner in a trustworthy manner is also required. In the end, the goal is to provide a single mechanism by which a relying party (that is, the "user" of the key and associated data, as defined in [RFC2527] is assured that
Certificates
Kohnfelder first introduced the concept of using a signed data structure or certificate to con-vey the public key to a relying party in his 1978 bachelor's thesis entitled "Towards a Practical Public-Key Cryptosystem" [Kohn78]. Thus, over two decades ago, it was recognized that a scalable and secure method (from an integrity perspective) would be required to convey the public keys to the parties that needed them. Simply stated, public-key certificates are used to bind an entity's name (and possibly additional attributes associated with that entity) with the corresponding public key.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
