Re: How can I act as a Certificate Authority (CA) with openssl ??
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 10/06/04
- Next message: Paul Rubin: "Re: new /dev/random"
- Previous message: Booker C. Bense: "Re: How can I act as a Certificate Authority (CA) with openssl ??"
- Maybe in reply to: Booker C. Bense: "Re: How can I act as a Certificate Authority (CA) with openssl ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 06 Oct 2004 15:00:58 -0600
see_my_signature_for_my_real_address@hotmail.com (Dr. David Kirkby) writes:
> I (name David) want to put a secure web server up for a friend
> (Paul) to he can access some documents securely for himself, no
> matter where in the world he is. Whilst signing the certificate
> myself (saying I'm Micky Mouse if I want) is okay for our purposes,
> I'd like (just out of interest) to know how to be a Certificating
> Authority (CA). Somehow I don't think I will put Verisign out of
> bussiess, but I'm interested in the prccess.
the whole point of a digital certificate is so that a relying party
that otherwise doesn't have any knowledge about the originating party
... can equate the originating party's public key with something about
the originating party.
normally in public key infrastructures where there is some
relationship and knowledge that exists between the relying party and
the originating party .... the relying party has a table of public
keys with information about their respective owners. This is
effectively the PGP model. It has also been the standard industry
business model for userid/password authentication system for scores of
years ... and can be applied to public key infrastructures by
replacing the "password" in the authentication tables with public keys
(aka radius, kerberos, password tables, etc).
in a certification environment ... the relying party's public key
tables, instead of containing the public keys and information directly
about originating parties .... contains public keys and information
about certification authorities (and the relying party has absolutely
no way of obtaining information directly about the originating party).
the relying party is totally dependent upon and trusts the
certification authority for providing information about the
originating party in the form of digital certificates.
to be a certification authority there then are at least requirements for
1) manufactoring the digital certificates
2) establishing trust with the relying parties that they are dependent
on the certification authority for supplying the information about the
originating party
3) loading the certificate authority's public key in the relying
parties authentication table
i.e. the relying parties have to trust the certification authority to
provide the information about the originating party (in lieu of the
relying party having the information directly about the originating
party) and the relying parties have to have the certification
authorities public key loaded into their authentication table (in lieu
of directly loading the public key of the originating parties in their
authentication table).
in the past, there has been mention of PKIs ... where the certification
authority both manufacture certificates for arbritrary distribution
and provide a mechanism for managing those certificates.
many of the infrastructure are purely certificate manufactoring
operations as opposed to real PKIs ... and, in fact, I coined the term
certificate manufactoring in the mid-90s to differentiate from true
PKIs.
-- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
- Next message: Paul Rubin: "Re: new /dev/random"
- Previous message: Booker C. Bense: "Re: How can I act as a Certificate Authority (CA) with openssl ??"
- Maybe in reply to: Booker C. Bense: "Re: How can I act as a Certificate Authority (CA) with openssl ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
