pkiuniversity.com
Alice Bob
Honest Abe’s CA
Simple PKI hierarchy
Multi-level hierarchy
My personal Certificate(Installed on a Mac)
Dartmouth CA’s Certificate(Installed on a Mac)
Building a trust path
1. To verify certificate α starting with a set of trusted certificates we need to:a. Identify the issuer of α (i.e., β)b. Verify if β is trusted
2. If β is among the set of trusted certificates, the original cert is trusted
3. Else if β is a root certificate, the original cert is untrusted
4. Else if β is not trusted set α=β and repeat the process until a trusted or a root certificate is identified
Typical trust chain
Cross certification
Multiple cross certification
Cross certification fuzziness
Cross certification fuzziness
Bridge CA
Bridge CA advantages
Certification Process
How to obtain a certificate1 Alice generates a key pair
2 Alice visits (online or in person) the RA, presenting documents attesting to her identity
3 RA verifies Alice’s documents and, if they’re ok, gives Alice a confirmation #. RA then notifies CA (via secure channel) of Alice’s application, RA’s authentication of her documents, and the confirmation #.
4 CA verifies all this, notes Alice’s application and confirmation #, and returns an authorization code to the RA, and the RA gives that to Alice.
5
Alice creates a certificate request, including a) ID info she gave to RA, b) Authorization code, c) Confirmation #, and d) Her Public key Alice signs the request with her private key, and sends it to the CA
6 CA verifies Alice’s signature on the request, then recovers the public key. CA might also do offline checks on Alice’s ID info.
7 CA creates a certificate with Alice’s public key and ID Info and signs it with the CA’s private key.
8 Alice verifies the CA’s signature on the certificate, and verifies that the public key it contains really is hers (the CA didn’t modify her public key or ID Info).
9 The certificate is published.
Top Related