CAs and Digital Certificates

CAs and Digital Certificates

CAs and Digital Certificates are covered in greater detail in Chapter 11, but for our purposes here, they represent a digital identification system whereby an independent third party vouches for them. Conceptually, this is similar to most state driver’s licenses when used as identification. The merchant accepting the ID accepts that the state has performed adequate verification to be reasonably sure the identity is valid.

The distribution of security keys through an untrusted network, such as the Internet, involves questionable levels of risk.

CAs are trusted third-party organizations, such as Verisign, Entrust, and Netscape, which provide digital certificates. The peers wanting to use digital certificates register with a CA. Once the CA verifies the client’s credentials, a digital certificate is issued. The digital certificate contains the certificate bearer’s identity (name or IP address), the certificate serial number, the certificate expiration date, and a copy of the certificate bearer’s public key.

The digital certificate standard format is defined in the X.509 specification. Cisco supports X.509 version 3.