pkiuniversity.com

Alice Bob Honest Abe’s CA

Simple PKI hierarchy

Multi-level hierarchy

My personal Certificate (Installed on a Mac)

Dartmouth CA’s Certificate (Installed on a Mac)

Building a trust path 1.To verify certificate α starting with a set of trusted certificates we need to: a.Identify the issuer of α (i.e., β) b.Verify if β is trusted 2.If β is among the set of trusted certificates, the original cert is trusted 3.Else if β is a root certificate, the original cert is untrusted 4.Else if β is not trusted set α=β and repeat the process until a trusted or a root certificate is identified

Typical trust chain

Cross certification

Multiple cross certification

Cross certification fuzziness

Bridge CA

Bridge CA advantages

Certification Process

How to obtain a certificate 1Alice generates a key pair 2Alice visits (online or in person) the RA, presenting documents attesting to her identity 3 RA verifies Alice’s documents and, if they’re ok, gives Alice a confirmation #. RA then notifies CA (via secure channel) of Alice’s application, RA’s authentication of her documents, and the confirmation #. 4 CA verifies all this, notes Alice’s application and confirmation #, and returns an authorization code to the RA, and the RA gives that to Alice. 5 Alice creates a certificate request, including a) ID info she gave to RA, b) Authorization code, c) Confirmation #, and d) Her Public key Alice signs the request with her private key, and sends it to the CA 6 CA verifies Alice’s signature on the request, then recovers the public key. CA might also do offline checks on Alice’s ID info. 7CA creates a certificate with Alice’s public key and ID Info and signs it with the CA’s private key. 8 Alice verifies the CA’s signature on the certificate, and verifies that the public key it contains really is hers (the CA didn’t modify her public key or ID Info). 9The certificate is published.