Cryptography Reference
In-Depth Information
are correct. Of course, this transfers the problem to one of providing assurance
of purpose of the CA's verification key. However, just as we saw for symmetric
keys in Section 10.4.1, transferring a key management problem 'higher up a
chain' allows for a more scalable solution. We will discuss this issue in more
detail in Section 11.3.
Check the fields
. The relying party needs to check all the fields in the public-key
certificate. In particular, they must check the name of the owner and that the
public-key certificate is valid. If the relying party does not check these fields
then they have no guarantee that the public key in the certificate is valid for the
application for which they intend to use it.
DIGITAL CERTIFICATES
It is worth noting that the principle of having some specific data digitally signed by
a trusted third party can have other applications. Public-key certificates represent
a special class of
digital certificates
. An example of another type of digital certificate
is an
attribute certificate
, which can be used to provide a strong association
between a specific attribute and an identity, such as:
• the identity specified is a member of the access control group
administrators
;
• the identity specified is over the age of 18.
Attribute certificates might contain several fields that are similar to a public-key
certificate (for example, owner name, creator name, validity period) but would
not contain a public-key value. Like a public-key certificate, the data that they
contain is digitally signed by the creator in order to vouch for its accuracy.
Many of the details of the phases of the key lifecycle (Figure 10.1) that we discussed
in Chapter 10 are just as valid for private keys as they are for symmetric keys.
However, there are several important differences with respect to the lifecycle
of public keys. In this section we will consider these lifecycle differences for a
public-key certificate, which is essentially the embodiment of a public key.
11.2.1
Differences in the certificate lifecycle
We now recall the main phases of the key lifecycle from Figure 10.1 and comment
on where differences lie:
Key generation
. This is one of the phases which differs significantly. We have
already observed in Section 10.3.4 that the generation of a public-key pair is an
algorithm-specific, and often technically complex, operation. Having done this,
creation of a public-key certificate is even harder from a process perspective,
