If a public key user does not already hold a copy of the CA that signed the certificate including the CA’s name, then it might need an additional certificate to obtain that public key. A sample scenario appears in Figure 1. Let’s assume that Bob requested authentication from Alice with his certificate signed by CA1. But Alice, whose certificate was signed by CA2, does not have the public key for CA1, which is required to validate Bob’s certificate. Then, Alice forms a certificate chain that contains both CA2’s and her certificate and requests that CA1 provide a public key for CA1.
In general, a chain of multiple certificates might be needed that would make up a certificate containing the public key owner (the end entity) signed by one CA, and zero or more additional certificates originating from CAs signed by other CAs. Such chains, called certification paths, are required because a public key user is initialized with only a limited number of assured CA public keys. Certification path processing verifies the binding between the subject name and subject public key. This requires obtaining a sequence of certificates that support that binding.
Many organizations elect to create self-signed certificates for their public key infrastructure rather than purchase one or more from a Certificate Authority. In most cases, this is fine. However there are two differences between self-signed certificates and CA-signed certificates. SSL-enabled Web browsers normally recognize a CA-generated certificate and automatically allow a secure connection to be made, without prompting the user. Self-signed certificates usually generate an annoying (and sometimes to nontechnical users, frightening) pop-up. CAs also guarantee the identity of the organization that is providing services to the browser or other certificate-enabled device.
Before signing a certificate, a CA verifies the identity of the requesting organization. Thus, if your PKI is accessed by the public at large, you should provide a certificate signed by a CA so that people who visit or call know that your infrastructure is owned by the organization who claims to own it.
2 comments:
Thanks a lot for explaining this most important concept of encryption technique. I do have tried to learn about it but the information that I have found so far on other blogs doesn't clearly explain it. I must say that you thoroughly described it.
public key infrastructure
thank you for the post , visit us for
best telephone solution for business
Post a Comment