Definitions
A digital certificate (or simply certificate) is
“ | [a] digitally signed statement that binds the identifying information of a user, computer, or service to a public/private key pair. A digital certificate is commonly used in the process of authentication and for securing information on networks.[1] | ” |
“ | [a] computer-generated record that ties the user's identification with the user's public key in a trusted bond. The trust is based on registration/identification policy enforced by a third party, Certification Authority. The certificate contains the following: identification of the Certification Authority issuing the certification; the user; the user's public key; and is digitally signed by the issuing Certification Authority.[2] | ” |
“ | [t]he electronic equivalent of an ID card that establishes your credentials when doing business or other transactions on the Web. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.[3] | ” |
Overview
The most common use of digital certificates is to verify that a user sending a message is who he or she claims to be and to provide the receiver with a means to encode a reply. Certificates can be issued to computer equipment and processes as well as to individuals.
For example, companies that do business over the Internet can obtain digital certificates for their computer servers. These certificates are used to authenticate the servers to potential customers, who can then rely on the servers to support the secure exchange of encrypted information, such as passwords and credit card numbers.
Digital certificates address the need to link an individual to his or her public key. A digital certificate is created by placing the individual's name, the individual's public key, and certain other identifying information in a small electronic document that is stored in a directory or other database. Directories may be publicly available repositories kept on servers that act like telephone books in which users can look up others' public keys.
The digital certificate itself is created by a trusted third party called a certification authority, which digitally signs the certificate, thus providing assurance that the public key contained in the certificate does indeed belong to the individual named in the certificate. Certification authorities are a main component of a PKI, which uses cryptographic techniques to generate and manage digital certificates.
By linking an individual to his or her public key, digital certificates help to provide assurance that digital signatures are used effectively. However, digital certificates are only as secure as the public key infrastructure that they are based on. For example, if an unauthorized user is able to obtain a private key, the digital certificate could then be compromised. In addition, users of certificates are dependent on certification authorities to verify the digital certificates. If a valid certification authority is not used, or a certification authority makes a mistake or is the victim of a cyber attack, a digital certificate may be ineffective. The PKI software in the user's computer can verify that the certificate is valid by first verifying that the certificate has not expired and then by assuring that it has not been revoked or suspended.
References
- ↑ Privacy Technology Focus Group Final Report, App. B, at 53.
- ↑ JITC, Terms and Definitions (full-text).
- ↑ Cyber Security Planning Guide, at CSG-3.