Determining the trust of a public key certificate


Can you trust that the public-key certificate will allow you to prove who created the signature? Some considerations for this question are given below.


The IP Protector software will allow you to indicate your trust for a particular certificate. Designating your trust removes the displayed "warning messages" that you will see with a signature that is verified with an un-trusted certificate. The issue becomes, should you choose to trust a particular certificate?


Below we briefly describe these topics:

 

There is a great deal written on the subject of trusting public key certificates and certificate authorities. You may want to review other sources of information.


Identifying the signer

The purpose is to prevent the individual from falsely denying that they created the signature. The formal term for this purpose is non-repudiation.


A digital signature is verified using a public key certificate. The public key certificate contains three essential elements:

  1. Information that is used to identify the person who creates signatures with the public key
  2. The actual public key which is used to mathematically verify the signature
  3. The name of the third-party that can testify to the identity of the person in #1 above - A Certificate Authority (CA) is commonly used as this third-party. A CA verifies the person’s identity and binds it with the public key.


The strength of #3, proof-of-identity, above is a critical element in the degree of trust that you have in your ability to enforce nonrepudiation.


For example, a certificate authority that verifies the identity of an individual using:

  • Option A: Exchanging e-mails

has "less trust" than using,

  • Option B: Appearing in person with valid forms of identification

The actual process of reliably identifying each individual is a complex subject. Many governments have debated the use of "national identification" systems partially due to the difficulty in managing identities. You can read more about the work of certificate authorities at the web sites of some of these CA’s.


Viewing the trusted certificates with the IP Protector software

Several certificates from about 20 different Certificate Authorities are included with the software and are designated as "trusted".


These certificates were chosen by Sun Microsystems to include with their Java environment as trusted. This same set is similar to what Microsoft chose to include with their Explorer browser.

 

 

You can review these certificates using the software. Click here for demonstration screen shot.

 

 

 

Signer certificates that are issued by the trusted certificates will also be considered trusted.

This is called a certificate chain of authority. 

Checking revocation lists 

It is possible that an event could happen that requires the revocation of a certificate. For example, the signer looses the private key and informs the Certificate Authority. (Much like when you loose a credit card, you call the card issuer or bank.) Signatures created after the revocation should not be trusted. The IP Protector software does not include checking with the various revocation lists.


To check if a signer's certificate is on a revocation list, you need to go to the CA’s web site. The CA should have some way to enter the serial number of the certificate (or some other means) to query if and when it was revoked. Click here for screen shot for determining a certificate's issuer.