Entity An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.īasically, public key cryptography requires access to users' public keys. Private keys are used to compute signatures. In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private and public keys exist in pairs in all public key cryptography systems (also referred to as "public key crypto systems"). Private Keys These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it's supposed to be kept secret). Signature A signature is computed over some data using the private key of an entity (the signer). In some systems the identity is the public key, in others it can be anything from a UNIX UID to an Email address to an X.509 Distinguished Name. Identity A known way of addressing an entity. The data is rendered unforgeable by signing with the entitys' private key. Digitally Signed If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. Public keys are used to verify signatures. The following table defines some of the key terms: Public Keys These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. This API benefits two types of developers: those who need to write service provider implementations for a specific certification path building or validation algorithm and those who need to access standard algorithms for creating, building, and validating certification paths in an implementation-independent manner. The Java Certification Path API provides a set of classes and interfaces for developers who need to integrate this functionality into their applications. RFC 2587 defines an LDAP (Lightweight Directory Access Protocol) schema definition that facilitates the discovery of X.509 certification paths using the LDAP directory service protocol.īuilding and validating certification paths is an important part of many standard security protocols such as SSL/TLS/DTLS, S/MIME, and IPsec.
Providing services to build or discover certification paths is an important feature of public key enabled systems. Often a user may not have a certification path from a most-trusted CA to the subject. The PKIX standards define an algorithm for validating certification paths consisting of X.509 certificates.
Validation can consist of various checks on the certificates contained in the certification path, such as verifying the signatures and checking that each certificate has not been revoked. The certification path establishes trust in Alice's public key through an intermediate CA named CA2.įigure 9-1 Certification Path from CA's Public Key (CA 1) to the Target Subjectĭescription of "Figure 9-1 Certification Path from CA's Public Key (CA 1) to the Target Subject"Ī certification path must be validated before it can be relied on to establish trust in a subject's public key. The following figure illustrates a certification path from a most-trusted CA's public key (CA 1) to the target subject (Alice). A certification path typically has one or more encodings, allowing it to be safely transmitted across networks and to different operating system architectures. In general, a certification path is an ordered list of certificates, usually comprised of the end-entity's public key certificate and zero or more additional certificates.
The most-trusted CA is usually specified by a certificate issued to a CA that the user directly trusts. This logic can be applied recursively, until a chain of certificates (or a certification path) is discovered from a trust anchor or a most-trusted CA to the target subject (commonly referred to as the end-entity). If the user does not have a trusted copy of the public key of the CA that signed the subject's public key certificate, then another public key certificate vouching for the signing CA is required. For the remainder of this section, the term CA is used to refer to an entity that signs a certificate. Public key certificates are used to establish this trust.Ī public key (or identity) certificate is a binding of a public key to an identity, which is digitally signed by the private key of another entity, often called a Certification Authority (CA). Users of public key applications and systems must be confident that a subject's public key is genuine, i.e., that the associated private key is owned by the subject.
0 kommentar(er)
