Alice Bob Honest Abe’s CA Simple PKI hierarchy.

download Alice Bob Honest Abe’s CA Simple PKI hierarchy.

of 17

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Alice Bob Honest Abe’s CA Simple PKI hierarchy.


  • AliceBobHonest Abes CA

  • Simple PKI hierarchy

  • Multi-level hierarchy

  • My personal Certificate (Installed on a Mac)

  • Dartmouth CAs Certificate (Installed on a Mac)

  • Building a trust pathTo verify certificate starting with a set of trusted certificates we need to:Identify the issuer of (i.e., )Verify if is trustedIf is among the set of trusted certificates, the original cert is trustedElse if is a root certificate, the original cert is untrustedElse if is not trusted set = and repeat the process until a trusted or a root certificate is identified

  • Typical trust chain

  • Cross certification

  • Multiple cross certification

  • Cross certification fuzziness

  • Cross certification fuzziness

  • Bridge CA

  • Bridge CA advantages

  • Certification Process

  • How to obtain a certificate

    1Alice generates a key pair2 Alice visits (online or in person) the RA, presenting documents attesting to her identity3RA verifies Alices documents and, if theyre ok, gives Alice a confirmation #. RA then notifies CA (via secure channel) of Alices application, RAs authentication of her documents, and the confirmation #.4CA verifies all this, notes Alices application and confirmation #, and returns an authorization code to the RA, and the RA gives that to Alice.5Alice creates a certificate request, including a) ID info she gave to RA, b) Authorization code, c) Confirmation #, and d) Her Public key Alice signs the request with her private key, and sends it to the CA6CA verifies Alices signature on the request, then recovers the public key. CA might also do offline checks on Alices ID info.7CA creates a certificate with Alices public key and ID Info and signs it with the CAs private key.8Alice verifies the CAs signature on the certificate, and verifies that the public key it contains really is hers (the CA didnt modify her public key or ID Info).9The certificate is published.

    2) Documents like passport, drivers license, etc., anything believable enough for the level of Certificate she seeks