In this post we discuss the digital signature process.
(Check out the first part to find out about Graphical Signatures, as we won't be discussing them here.)
A (not so short) digression into the world of Certifying Authorities. Read it for more information on the flow of certificates. There will be some reference in part two, to some of this information.
A Digital Signature is designed to re-assure the end user that YOU really signed this document or sent an e-mail.
It is based on the same technology that is used to assure web users that they really are at their banking web site or are at the Amazon store.
What we are talking about are Certificates and Certifying Authorities. When a web site wants to assure their users that they are at the true web site, the site owners get a certificate. This works on a Trust basis. There are several Trusted Root Certificate Authorities built into your browser. Perhaps the most well known is "VeriSign". GeoTrust and Thawte are two others that are installed in almost every browser. Any firm can purchase a certificate for their domain to allow them to be "trusted" When a certificate is purchased from a VeriSign, they conduct some type of check to see that the requestor actually is who they present themselves to be. Depending on the level of certification (usually based on the amount of maney paid), that may include a phone call, e-mail or maybe checking the firm with a source such as Dun and Bradstreet.
The Certifying Authority then sends the file and it gets installed on the web server. It is not a root certificate, but it is something that says that someone else believes they are who they say they are.
If you check your browser, you may have dozens of certificates, but there are only a few Trusted Root Certifying Authorities (TRCA). Almost every country has their own, simply because of country pride. Most of the other certificates, are chained or intermediate certificates. These certificates include the TRCA certificate indicating this chained certificate is backed by someone else.
Two other classes of certificates are self-signed and Trusted Root Certificates.
If a web site owner does not want to pay someone to vouch for them, they can create a self-signed certificate. This certificate basically says, "hey, you can trust me because I said that I am me." It's is the end-users choice whether to make that assumption or not.
Finally, a Trusted Root Certrificate can issued by an individual firm. Anyone can create a Certifiying Authority and become just like a VeriSign. They can choose their own level of verification and start issuing certificates to individuals (or firms for that matter). In this case, the browser would give a warning that a firm wants to install a Trusted Root Certificate onto the computer. It's the end-users choice. Once that certificate is installed, any of the certificates issued by that firm are trusted.
And finally there is the self-signed Trusted Root Certificate.
A self-signed Trusted Root Certificate allows a vendor to become a Certifying Authority. Suppose a vendor wants to be able to sell certificates to their clients. But they do not want to go through the hassle and cost of paying one of the real Trusted Root Authorities to be able to resell certificates that are automatically recognized by everyone. The vendor sets themselves up to be a Trusted Root Authority and starts selling certificates to their clients.
Everything is fine, until one of the clients end-users gets a digitally signed file and it it says the certificate is not recognized (or something similar). What has just occurred on the end-users computer is that the certificate used, does not have a chain back to a recognized Trusted Root Authority. So what the vendor does is include in the certificates that they sell to their clients, is a copy of their own Trusted Root Authority. The end-user has to install that vendors certificate and all the trust that entails. Once that occurs, any more certificates based off that Trusted Root Authority, will now be recognized.
This means that every single certificate that an end-user sees, must trace it's path back to a Trusted Root Authority. Either directly or via Intermediate certificates.
As you can see, digital certificates are not a simply concept. They are also fraught with potential issues. What happens if the TRCA itself gets compromised and duplicate certificates are issued? What if a client loses their certificate, how is revocation handled? These and many more questions should be considered before getting a certificate from someone other than one of the few recognized Trusted Root Authorities.
thanks for hanging in there through this long missive.
Go out and certify something!