Cryptography Reference
In-Depth Information
X.509 Certificates
In practice, certificates not only include the ID and the public key of a user, they
tend to be quite complex structures with many additional fields. As an example,
we look at the a X.509 certificate in Fig. 13.4. X.509 is an important standard for
network authentication services, and the corresponding certificates are widely used
for Internet communication, i.e., in S/MIME, IPsec and SSL/TLS.
!
Fig. 13.4
Detailed structure of an X.509 certificate
Discussing the fields defined in a X.509 certificate gives us some insight into
many aspects of PKIs in the real world. We discuss the most relevant ones in the
following:
1.
Certificate Algorithm
: Here it is specified which signature algorithm is being
used, e.g., RSA with SHA-1 or ECDSA with SHA-2, and with which parameters,
e.g., the bit lengths.
2.
Issuer
: There are many companies and organizations that issue certificates. This
field specifies who generated the one at hand.
3.
Period of Validity
: In most cases, a public key is not certified indefinitely but
rather for a limited time, e.g., for one or two years. One reason for doing this
is that private keys which belong to the certificate may become compromised.
By limiting the validity period, there is only a certain time span during which
an attacker can maliciously use the private key. Another reason for a restricted
lifetime is that, especially for certificates for companies, it can happen that the
