Certificates and AuthenticationAppendix J Introduction to Public-Key Cryptography 771A Certificate Identifies Someone or SomethingA certificate is an electronic document used to identify an individual, a server, acompany, or some other entity and to associate that identity with a public key. Likea driver’s license, a passport, or other commonly used personal IDs, a certificateprovides generally recognized proof of a person’s identity. Public-keycryptography uses certificates to address the problem of impersonation (see“Internet Security Issues,” which begins on page 763).To get a driver’s license, you typically apply to a government agency, such as theDepartment of Motor Vehicles, which verifies your identity, your ability to drive,your address, and other information before issuing the license. To get a student ID,you apply to a school or college, which performs different checks (such as whetheryou have paid your tuition) before issuing the ID. To get a library card, you mayneed to provide only your name and a utility bill with your address on it.Certificates work much the same way as any of these familiar forms ofidentification. Certificate authorities (CAs) are entities that validate identities andissue certificates. They can be either independent third parties or organizationsrunning their own certificate-issuing server software (such as Netscape CertificateManagement System). The methods used to validate an identity vary dependingon the policies of a given CA—just as the methods to validate other forms ofidentification vary depending on who is issuing the ID and the purpose for whichit will be used. In general, before issuing a certificate, the CA must use itspublished verification procedures for that type of certificate to ensure that an entityrequesting a certificate is in fact who it claims to be.The certificate issued by the CA binds a particular public key to the name of theentity the certificate identifies (such as the name of an employee or a server).Certificates help prevent the use of fake public keys for impersonation. Only thepublic key certified by the certificate will work with the corresponding private keypossessed by the entity identified by the certificate.In addition to a public key, a certificate always includes the name of the entity itidentifies, an expiration date, the name of the CA that issued the certificate, a serialnumber, and other information. Most importantly, a certificate always includes thedigital signature of the issuing CA. The CA’s digital signature allows the certificateto function as a “letter of introduction” for users who know and trust the CA butdon’t know the entity identified by the certificate.For more information about the role of CAs, see “How CA Certificates Are Used toEstablish Trust,” beginning on page 784.
