Tuesday, July 25, 2006


Digital signatures, part 5

This is a continuation of the Digital Signatures overview series.

3.2  Key Distribution

There's still the issue of key distribution, which we've so far ignored in the discussion of public-key encryption. We noted that key management is far easier with public-key systems than it would be with a web of symmetric keys, and that's quite true: it's easier, but it's still something that has to be done. Generation of key pairs is easy, and there are plenty of readily available (and free) programs that will do that.

The primary issue is that there has to be a way to get other parties' public keys. Many people simply post their PGP keys on their web pages. That's fine, as far as it goes, but are you sure you got that key from my web page? Most likely you did, and for many uses that's good enough, but if we're talking about securing large financial transactions we need more assurance. I can read you my key (or a "fingerprint" of it) over the telephone, and that will probably do it, but it's cumbersome. We'd like another way.

And we have one — two, actually. PGP uses a scheme called a "web of trust". Public keys are stored on key servers, and those servers store not only they keys, but also the signatures of other users who vouch for the authenticity of each key. If I am confident that I have accurately obtained your key, I can check the copy that's on the key server and make sure it matches. If it does, I can upload my signature to the server and say that I vouch for your key. Others can do the same. If someone else needs your key, they can get it from the server, along with all the signatures. They can then see if there's someone who's signed your key whom they already trust and have a key for. If they have my public key and trust me, they can use my signature as assurance that your key is verified.

Note that the third party is making two different determinations here, in using my signature to validate your key. One is that they have obtained my key correctly. The other is that I (not my key, but I, personally) can be trusted to have verified your key, and not to have just signed whatever was posted to the server, without checking. That's a central point to the web of trust: there are keys that I consider valid, and there is a subset of those whose signatures I trust for validation.

3.3  Certificates

The S/MIME system works differently: instead of an informal, ad hoc web of trust, it uses a network of trusted certificate authorities (CAs), which issue certificates as defined by the X.509 standard produced by the International Telecommunication Union (ITU). X.509 specifies a hierarchy of CAs, allowing a delegation of trust to different levels of organization.

X.509 certificates (or, simply, "certificates") are also used by web browsers and web servers, and you can get a basic view of how they work by looking at the trusted CA list in your browser settings. In Internet Explorer, open "Tools → Internet Options", go to the "Content" tab, and select the "Certificates" button; in Firefox, open "Tools → Options", go to the "Security" tab, and select the "View Certificates" button. From there, look at the "Authorities" tab in Firefox, or the "Trusted Root Certification Authorities tab in Internet Explorer, and you'll see entries for Equifax and Verisign and Thawte.

A company can get a certificate from one of these root certifiers, and can then create and sign certificates for its employees. When you process a certificate, your software looks at the certification path to find a CA whom you trust, and you trust the subject certificate if one is found.

Certificates are not an alternative to keys; rather, certificates contain keys, as well as other information. Because they contain other information they add flexibility to the system — certificates can have expiration dates (and most do), the human-readable name of the owner, the owner's email address, and so on.

It sounds a little complicated and, as we'll see in the next section, it is, but it provides a very important feature: it no longer matters how I obtain your certificate. If I trust the CA that issued it, I can trust the information contained in it. That mostly simplifies key distribution a great deal.

Next time: The User Experience

No comments: