|A digital certificate is an electronic document that
verifiably proves the identity of the bearer.
“On the Internet, nobody knows you’re a dog.” Peter Steiner’s cartoon from a 1993 issue of the New Yorker magazine has become an Internet mantra. The anonymous nature of Internet transactions has facilitated boisterous and vibrant social communities among those who would otherwise be shy in public.
Unfortunately, the dark side of the Internet’s anonymity is that commercial transactions can quickly lead to fraud. How do you know a “dog” doesn’t run the ecommerce site you’re about to buy something from? How do you prove your identity
to someone over a medium that enables the total manipulation of information? How can you trust that what you’re seeing is for real?
In the real world, you can prove your identity with a trustworthy photo
ID, such as a passport or government-issued identification. These
contain a photograph that can be quickly matched against the bearer’s
face. Antiforgery techniques help make the document itself trustworthy.
Now imagine if these identifications lacked photographs of the bearer. Possession of the ID would be the only important factor in proving identity. If somebody else got hold of your ID, he or she could easily pretend to be you. This is the
way many forms of identity used to exist. Years ago, driver’s licenses did not contain photographs, but after many incidences of fraud and misconduct, photographs were
added to improve security.
The virtual equivalent to a pictureless ID is the digital certificate. It contains personal data that can be used to identify the holder. It is issued by a trusted organization,
which makes the certificate itself trustworthy. It is assumed that part of the certificate is kept confidential and can only be presented by the legitimate owner. In the “Security Considerations” section, we’ll look at this assumption a bit more carefully. For now, pretend that the assumption is valid.
A complete digital certificate system includes people trying to prove their identity, people trying to verify their identity, and one or more trusted third parties capable of performing the verification as well. The entire system is often referred to as a public key infrastructure (PKI). The term public does not mean the entire system is designed for public access. Instead it refers to the underlying encryption system that uses a combination of freely shared (public) keys and secret (private) keys.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.