Cryptography Reference
In-Depth Information
Signature
Signature algorithm sha1WithRSAEncryption
Signature:
00: 6F 69 6A AE 89 B2 C9 7F 54 14 B9 DB 45 ...
10: F8 BE BF 91 38 42 FF 43 E4 EA C6 38 C5 ...
..............................................
Extensions
X509v3 Private
Key Usage Period Not Before: Sep 25 10:46:12 2009 GMT,
Not After: Sep 25 10:46:12 2012 GMT
X509v3 Key Usage Digital Signature, Key Encipherment
Netscape Cert Type SSL Client, S/MIME
X509v3 Subject
Key Identifier
E5:D9:81:97:46:7E:87:B9:64:33:9E:50:EC:73: ...
X509v3 Authority
Key Identifier
keyid:40:9A:76:44:97:74:07:C4:AC:14:CB:1E: ...
Here, the
Subject
line gives the identity of the user to whom the certificate was
issued, so that this value corresponds to the information
Id
A
in the description above
and the
Issuer
is the CA that issues the certificate, in this case FNMT. Also, the
version, the serial number and the validity period of the certificate are specified
in the first lines. The validity period imposes a time limitation motivated both by
security reasons and other practical reasons such as the fact that the user may cease
to exist. Other important fields are the public-key scheme for which the user's public
key is valid—in this case RSA encryption—and the user's public key itself. In this
example, the public key is a 1024-bit RSA key which consists of a modulus and an
(encryption) exponent, both given as hexadecimal strings. Note that the encryption
exponent in this example is 0
x
010001
16
4
2
16
=
+
1
=
+
1
=
65537, which is
currently by far the most-used exponent.
Other important data included in the certificate are the signature algorithm used to
sign it, in this case RSA signatures with the hash function SHA-1 and, of course, the
issuer's signature itself. This signature is computed by hashing with SHA-1 the first
part of the certificate (containing the relevant data that includes the user identification
and public key) and applying the issuer's RSA private key. The signature, and hence
the certificate validity, may then be verified using the issuer's RSA public key.
Finally, under
Extensions
, the certificate contains some additional data, including
Key Usage
, which specifies the purpose of the public key in the certificate, and
Netscape Certificate Type
, which specifies the purposes the certificate can be used
for in relation to some common standards. For example, in this case,
SSL Client
means that the certificate subject may act as an SSL client (but not, for example, as
an SSL server) and
S/MIME
that the certificate may be used for S/MIME signing
and encryption.
9.7.2 Multiple Certification Authorities
The model sketched above, in which a single CA issues certificates for all users,
is simple but difficult to implement in practice. The world being as it is, it seems
unthinkable that everyone would trust the same CA and, in fact, many countries have
their own CAs and so do many private organizations. On the other hand, a hypothetic
