duh!

duh!

Post by Bill » Fri, 27 Jun 2003 23:10:41



Hi, I am confused about digital certificates. They are issued by a CA.
The CA takes your personal information and then issues you a digital
certificate. Are you also issued a public/private key pair at that
time and how is that key pair linked to your certificate?
Digital certificates can be used to verify that you are the proper
person to be using that key pair, right? So I start using the key pair
for sending email and perhaps conducting business through a website.
What is the process by which the recipient of my mail and my business
can verify that the key I am using is mine and that they are doing
business with me. Is this to protect them from doing business with
someone who may have stolen my private key? Or is this just to assure
them that public key they have is mine. Confused !!

Where can I find this clearly explained?

Thank you.

 
 
 

duh!

Post by Mikey » Fri, 27 Jun 2003 23:42:15


Quote:> Hi, I am confused about digital certificates. They are issued by a CA.
> The CA takes your personal information and then issues you a digital
> certificate. Are you also issued a public/private key pair at that
> time and how is that key pair linked to your certificate?

Digital certificates are an alternative means of RSA encryption to PGP. They
*are* a keypair
Quote:> Digital certificates can be used to verify that you are the proper
> person to be using that key pair, right? So I start using the key pair
> for sending email and perhaps conducting business through a website.

Do you mean you use the actual certificate, or you have attatched it to your
pgp key?
Quote:> What is the process by which the recipient of my mail and my business
> can verify that the key I am using is mine and that they are doing
> business with me. Is this to protect them from doing business with
> someone who may have stolen my private key? Or is this just to assure
> them that public key they have is mine. Confused !!

switch
Case you use the actual digital cert
Your digital certificate will have been signed with the CA's public key,
like when you use PGP to sign someone else's key. If the CA is set as
trusted by that business, then your cert will become trusted. They will see
a window when they open the email, saying 'content signed by Bill C.
Certificate automatically verified by verisign (or whoever issued the cert).
Or similar, I don't have actual firsthand experience of this. Anyway, an
email client that supports S/MIME should verify this automatically. This
lets them be sure the digital cert belongs to you, because verisign says so,
and the fact that you've signed the email with your digital cert means they
know the email is from the owner of the digital cert. They therefore know
this email was sent by you, which they may need to be sure of. For example
if it was your bank and you asked them to do a money transfer, this would
let them be sure that the email really came from you and they could then
transfer the funds. If it is someone else using your website to buy things,
then the digital cert lets your customers send their credit card details to
you securely, because they've encrypted it with the public key on your cert.
They can check they are actually sending it to you by looking at the
verisign records
Case you attached it to your pgp key.
The digital cert becomes, in effect, another signature on your pgp keypair.
Others can verify that the keypair really belongs to you because it is
signed by the digital cert, which is itself verified by verisign. This means
you don't need to phone them and check the key fingerprint.

 
 
 

duh!

Post by Gamma300 » Sat, 28 Jun 2003 03:07:29



Quote:> Hi, I am confused about digital certificates. They are issued by a CA.
> The CA takes your personal information and then issues you a digital
> certificate. Are you also issued a public/private key pair at that
> time and how is that key pair linked to your certificate?

I think the certificate is another name for a public key or public/private
keypair.

Quote:> Digital certificates can be used to verify that you are the proper
> person to be using that key pair, right? ...

Yep

Quote:> ...So I start using the key pair
> for sending email and perhaps conducting business through a website.
> What is the process by which the recipient of my mail and my business
> can verify that the key I am using is mine and that they are doing
> business with me...

Exactly the same as verifying a signature with PGP (possibly different hash
algorythms, etc, but basically the same principle). The only difference is
that instead of having the web of trust saying that you are you, the CA is
saying that you are you.

Quote:> ...Is this to protect them from doing business with
> someone who may have stolen my private key? Or is this just to assure
> them that public key they have is mine. Confused !!

Nope, if someone takes the private key part of the certificate, the process
is exactly the same as if someone took the private part of a PGP key. The
certificate verifies that you are Bill C, rather than someone pretending to
be Bill C. The theory is that the CA is well known to be trustworthy and to
verify that those who hold its certificates are who they say they are, but
you could get anyone to sign a PGP key, and you have no knowledge of whether
the signers are trustworthy or not.

Quote:> Where can I find this clearly explained?

All over the place! I've seen it on these groups before, plus the Thawte
help files are pretty good.
--
-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GU d-(--) s+:- a--- C++(++++) !U W++(+++) N+(++) o K? w+(--) ?O

DI++++ D G e(*) h!>--- r++ z+>+++
------END GEEK CODE BLOCK------