pkiuniversity.com
Alice Bob Honest Abe’s CA
Simple PKI hierarchy
Multi-level hierarchy
My personal Certificate (Installed on a Mac)
Dartmouth CA’s Certificate (Installed on a Mac)
Building a trust path 1.To verify certificate α starting with a set of trusted certificates we need to: a.Identify the issuer of α (i.e., β) b.Verify if β is trusted 2.If β is among the set of trusted certificates, the original cert is trusted 3.Else if β is a root certificate, the original cert is untrusted 4.Else if β is not trusted set α=β and repeat the process until a trusted or a root certificate is identified
Typical trust chain
Cross certification
Multiple cross certification
Cross certification fuzziness
Bridge CA
Bridge CA advantages
Certification Process
How to obtain a certificate 1Alice generates a key pair 2Alice visits (online or in person) the RA, presenting documents attesting to her identity 3 RA verifies Alice’s documents and, if they’re ok, gives Alice a confirmation #. RA then notifies CA (via secure channel) of Alice’s application, RA’s authentication of her documents, and the confirmation #. 4 CA verifies all this, notes Alice’s application and confirmation #, and returns an authorization code to the RA, and the RA gives that to Alice. 5 Alice creates a certificate request, including a) ID info she gave to RA, b) Authorization code, c) Confirmation #, and d) Her Public key Alice signs the request with her private key, and sends it to the CA 6 CA verifies Alice’s signature on the request, then recovers the public key. CA might also do offline checks on Alice’s ID info. 7CA creates a certificate with Alice’s public key and ID Info and signs it with the CA’s private key. 8 Alice verifies the CA’s signature on the certificate, and verifies that the public key it contains really is hers (the CA didn’t modify her public key or ID Info). 9The certificate is published.