user ceases to exist. If the certificates, and thus the public keys, are only valid for

limited time, the damage can be controlled.

4. Subject : This field contains what was called ID A or ID B in our earlier examples. It

contains identifying information such as names of people or organizations. Note

that not only actual people but also entities like companies can obtain certificates.

5. Subject's Public Ke y: The public key that is to be protected by the certificate

is here. In addition to the binary string which is the public key, the algorithm

(e.g., Diffie-Hellman) and the algorithm parameters, e.g., the modulus p and the

primitive element

, are stored.

6. Signature : The signature over all other fields of the certificate.

α

We note that for every signature two public key algorithms are involved: the one

whose public key is protected by the certificate and the algorithm with which the

certificate is signed. These can be entirely different algorithms and parameter sets.

For instance, the certificate might be signed with an RSA 2048-bit algorithm, while

the public key within the certificate could belong to a 160-bit elliptic curve scheme.

Chain of Certificate Authorities (CAs)

In an ideal world, there would be one CA which issues certificates for, say, all In-

ternet users on planet Earth. Unfortunately, that is not the case. There are many dif-

ferent entities that act as CAs. First of all, many countries have their own “official”

CA, often for certificates that are used for applications that involve government busi-

ness. Second, certificates for websites are currently issued by more than 50 mostly

commercial entities. (Most Web browsers have the public key of those CAs pre-

installed.) Third, many corporations issue certificate for their own employees and

external entities who do business with them. It would be virtually impossible for a

user to have the private keys of all these different CAs at hand. What is done instead

is that CAs certify each other.

Let's look at an example where Alice's certificate is issued by CA1 and Bob's by

CA2. At the moment, Alice is only in possession of the public key of “her” CA1,

and Bob has only k pub , CA 2 . If Bob sends his certificate to Alice, she cannot verify

Bob's public key. This situation looks like this:

Two Users with Different Certificate Authorities

Alice

Bob

k pub , CA 1

k pub , CA 2

Cert B =[( k pub , B , ID B ) , sig k pr , CA 2 ( k pub , B , ID B )]

Cert B

←−−−−−−−−−−−−

Alice can now request CA2's public key, which is itself contained in a certificate

that was signed by Alice's CA1: