We’ve probably all seen those simple diagrams where an electronic signature authenticates the key pair used to create the signature. For electronic commerce, authenticating a key pair might not be adequate. For business transactions, each key pair needs to be closely bound to the consumer that owns the key pair. An electronic certiﬁcate is a credential that contrasts an integral pair to the entity that owns the key pair. Digital certiﬁcates are issued by certiﬁcation authorities,
therefore we trust the binding prescribed with the certificate.
A Digital signature is fine for verifying e-mail, but stronger verification methods are needed to associate an individual, like the demonstration in our earlier post where we used it to allow access to an app for watching the BBC News abroad. to the binary bits on the network that are purporting to “belong” to Tom Smith. For electronic commerce to work, the association has to be of a power that is legally binding. When Tom Smith has an electronic certiﬁcate to advertise to the planet at large, he is in possession of something which might take more trust than the “seal” that was made by his own digital signature.
You might trust his digital signature, but what if a few other believed authority had trust in Tom Smith?
Wouldn’t you then trust Tom Smith a little more? A digital certificate is given by an organization that has a reputation to defend. This organization, known as the certiﬁcate authority (CA), may be Tom’s employers, an independent organization, or the government. The CA will take measures to set some truths about Torn Smith before issuing a certificate because of him.
The certificate will normally hold Tom’s name, his public key number, the serial number of the certiﬁcate itself, and validity dates (issue and expiry). It’ll also bear the name of the issuing CA. The whole certiﬁcate is digitally signed by the CA’s own private key.
Lastly we’ve achieved a mechanism which may be used to allow individuals who’ve no previous relationship to set each other’s identity and participate in the legal transactions of electronic commerce. It’s certainly more efficient and secure than using something like geo-location which simply determines your identity based on your location. So for example, a web site might determine nationality by using your network address – e.g a British IP address needed to access the BBC online.
Certiﬁcates, if delivered correctly, inspire trust among Internet traders. It’s not, however, as easy as it might sound.
Certificates expire, are missing, are issued to the wrong person, or have to be revoked because the detail held on the certificate is wrong–maybe the people key number was threatened–and this leads to a large Certiﬁcate Control effort or even a campaign.
The X.509 v3 certiﬁcate format is a standard used for public important certiﬁcates and is broadly used by Internet security protocols (like SHTTP). Based on X.509 v3, digital certiﬁcates are being used increasingly as electronic credentials for identification, non- repudiation, and even authorization, when making payments and conducting other business transactions on the Internet or corporate Intranets.
Just as within our credit card system of today, where millions of credit card numbers issued by any bank in the world are electronically confirmed, so it will be the use of digital certificates will demand a clearing house network for certiﬁcate confirmation of a comparable scale.