Authentication in Public-Key Systems
Digital signatures do, to a limited extent, guarantee the authenticity of the sender. After all, only the sender’s public key can decrypt the digital signature encrypted using the sender’s private key. Strictly speaking, however, the only thing this actually guarantees is that whoever sent the message possessed the private key corresponding to the public key used to decrypt the digital signature. Thus, although this public key might have been advertised as belonging to the sender, the recipient can never be absolutely certain.
Certainty is created through the use of digital certificates. A digital certificate certifies that a given public key is owned by a particular sender.
A digital certificate is nothing more than a public key that has been digitally signed by a third party. That third party is known as a certificate authority (CA) and is the person or business that certifies that the public key belongs to the sender.
Now, instead of providing the sender’s public key to the recipient, the sender provides a CA-signed public key (a digital certificate) to the recipient. The certificate proves to the recipient that the sender’s public key actually belongs to the sender.
First, the recipient decrypts the certificate using the CA’s public key and computes a digest of the sender’s public key contained in the result. The recipient compares the two digests (the one created by the CA and the one created by the recipient), and if they are the same, the ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.