RE: Another basic PKI question
From: Ronald Kiss (rkiss_at_sympatico.ca)
Date: 10/15/03
- Previous message: Joey Peloquin: "RE: dhcp / mac address"
- In reply to: Francisco Andrades: "Re: Another basic PKI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Francisco Andrades'" <fandrades@nextj.com>, <security-basics@securityfocus.com> Date: Tue, 14 Oct 2003 21:02:38 -0400
Hi,
You should also note that the security of the certificate chain depends
on how thorough and secure the validation check is. One assumes that a
higher-level CA has thoroughly checked and validated the identification
information of the certificate is signing. If for some reason this check
is shoddily done, then it calls into question the security of all the
certificates at the lower levels even if it is signed by its private
key. This can be seen in the VeriSign case, where it accidentally
created two certificates for Microsoft (to read the security bulletin go
to
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-017.asp). As a result, one should only trust the
certificate chain as far as they trust the validation procedure and the
integrity of the information.
Regards,
Ron
-----Original Message-----
From: Francisco Andrades [mailto:fandrades@nextj.com]
Sent: 14 October 2003 14:02
To: security-basics@securityfocus.com
Subject: Re: Another basic PKI question
Hi,
You only need to trust the CA's root certificate. When you receive your
signed certificate you also receive the whole chain up to the root
certificate. When validating your certificate the whole chain will be
checked, up to the root certificate. If the root certificate is trusted
then the whole chain will be trusted (unless, of course, any of the
certificates has been revoked).
That's the whole idea about PKI: you don't have to trust everybody, you
trust the CA. If a whole organization is no longer trusted then the
parent certificate of it's chain can be revoked, invalidating all
certificates down the chain.
Roger A. Grimes wrote:
> First, thanks to everyone who responded to my last question regarding
> PKI.
>
> (The answer to that one was that yes, both public and private keys can
> encrypt and decrypt (with most popular PKI protocols); but who
> encrypts and decrypts depends on whether you are signing or
> encrypting...but yes, the private key can encrypt. Thank you all.)
>
> New question: When I recieve a digital certificate, do I (or my
> browser) have to trust every PKI CA in the tree of trust heading all
> the way back up to the root CA, or just the closest CA to me in the
> chain of trust? I'm guessing it's the latter.
>
>
-- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Joey Peloquin: "RE: dhcp / mac address"
- In reply to: Francisco Andrades: "Re: Another basic PKI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
