Cryptography Reference
In-Depth Information
The example presented in Figure 17-2, which shows a client's digitally
signed bank statement together with the certificate of the bank presented by a
certification authority, demonstrates this process.
Version
Serial Number
Signature
Issuer Name
Validity
W
3
-Bank
Statement
of Account
Name:
Browser,
Bernard
Account:
12345 67890
Balance:
$4286.337
Subject Name
Issuer Identifier
10110 11110 11000 11110 0
01111 00000 11011 1001 º
Date:
06/14/2000
Public Key
of the Bank
Signature :
11101 01101 10100 11100 01
11010 01001
11001 11111 º
Certificate of the Bank
Digitally Signed
Bank Statement
B verifies the certificate presented by the bank and uses
the public key of the bank to verify the digital signature of the bank
Figure 17-2. Certification of a digital signature
Such a bank statement has the advantage that it can reach the client over any
electronic transmittal path, such as e-mail, in which it would be further encrypted
to protect the confidentiality of the information.
However, the problem of trust has not been hereby miraculously cleared up,
but merely shifted: Now
B
need no longer believe directly in the validity of
A
's
key (in the above example that of the bank), but in exchange must check the
genuineness of the certificate presented by
A
. For certainty to be attained, the
validity of certificates must be verified anew for every occurrence, either from
the source that issued the certificate or an authority that represents it. Such a
procedure can succeed only if the following conditions are met:
•
the public key of the certification authority is known;
•
the certification authority takes the greatest care in the identification of the
receivers of certificates and in the protection of their private certification
keys.
To achieve the first of these desiderata the public key of the certification
authority can be certified by an additional, higher, authority, and so forth,
resulting in a hierarchy of certification authorities and certificates. However,
verification along such a hierarchy assumes that the public key of the highest
certification authority, the
root certification authority
, is known and can be
accepted as authentic. Trust in this key must thus be established by other means
through suitable technical or organizational measures.
