[Previous] [Next] [Index]
[Thread]
Re: What is "certificate"? (was: what are realistic threats?)
On Fri, 7 Oct 1994, Hapeman Dale wrote:
I'm late getting into this discussion; what can I read to get up to speed
on all this?
>
>
> How are these bound together? Because the issuer of my certificate signs
> the bits that make up my certificate. My certificate can not be altered
> without invalidating my issuer's signature.
>
> Now, you can validate my signature using my public key and know it came from
> me because the issuer of my certificate says that that public key belongs to
> me. The only thing my issuer has effectively "certified" is that I am the
> person who signed whatever it is I sent you. You can verify the issuer's
> signature on my certificate by gaining access to his certificate (and his
> public key).
>
> Why should you put am credence in my issuer's signature? Somebody issued
> and signed his certificate verifying that his public key (the one you used
> to verify his signature) does indeed belong to him. That somebody
> "certified" that he is really the person who used the public key that signed
> my certificate.
This is all fine, but I seemed to have missed how the issuer verifies the
contents of a document. It would seem that would become the weak link in all
this. Not that I cant trust my issuer, but how does an issuer, with
confidence(100%), validate a document? If an issuer cant give you that
degree of confidence then how can you ever trust the certification?
Another foolish question is what is an issuer. What entity is it?
drex
---------------
datkins@unm.edu "tight-lines"
CIRT-ACS University of New Mexico
----------------------------------
References: