Cryptography Reference
In-Depth Information
While this approach may suffice for some applications of public-key cryptog-
raphy, there are several significant problems:
Universality
. The directory has to be trusted by all users of the public-key
management system.
Availability
. The directory has to be online and available at all times to users of
the public-key management system.
Accuracy
. The directory needs to be maintained accurately and protected from
unauthorised modification.
In truly open application environments, such a trusted directorymight potentially
need to account for public keys associated with public-key owners throughout the
world. Establishing a trusted directory that everyone trusts, is always online, and
is always accurate, is likely to be impossible.
However, this basic idea does provide the required assurance of purpose.
Amore practical solutionwould be to provide assurance of purpose by distributing
the functionality of the trusted directory in some manner. This motivates the
notion of a public-key certificate, which we now discuss.
11.1.2
Public-key certificates
A
public-key certificate
is data that binds a public key to data relating to the
assurance of purpose of that public key. It can be thought of as a trusted directory
entry in a sort of distributed database.
CONTENTS OF A PUBLIC-KEY CERTIFICATE
A public-key certificate contains four essential pieces of information:
Name of owner
. The name of the owner of the public key. This owner could be
a person, a device, or even a role within an organisation. The format of this
name will depend upon the application, but it should be a unique identity that
identifies the owner within the environment in which the public key will be
employed.
Public-key value
. The public key itself. This is often accompanied by an identifier
of the cryptographic algorithm with which the public key is intended for use.
Validity time period
. This identifies the date and time from which the public key
is valid and, more importantly, the date and time of its expiry.
Signature
. The creator of the public-key certificate digitally signs all the data
that forms the public-key certificate, including the name of owner, public-key
value and validity time period. This digital signature not only binds all this data
together, but is also the guarantee that the creator of the certificate believes that
all the data is correct. This provides the 'strong association' that we referred to
in Section 11.1.1.
Most public-key certificates contain much more information than this, with the
precise contents being dictated by the certificate format that is chosen for use in
