Security Basics mailing list archives
RE: Another basic PKI question
From: "Ronald Kiss" <rkiss () sympatico ca>
Date: Tue, 14 Oct 2003 21:02:38 -0400
Hi, You should also note that the security of the certificate chain depends on how thorough and secure the validation check is. One assumes that a higher-level CA has thoroughly checked and validated the identification information of the certificate is signing. If for some reason this check is shoddily done, then it calls into question the security of all the certificates at the lower levels even if it is signed by its private key. This can be seen in the VeriSign case, where it accidentally created two certificates for Microsoft (to read the security bulletin go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-017.asp). As a result, one should only trust the certificate chain as far as they trust the validation procedure and the integrity of the information. Regards, Ron -----Original Message----- From: Francisco Andrades [mailto:fandrades () nextj com] Sent: 14 October 2003 14:02 To: security-basics () securityfocus com Subject: Re: Another basic PKI question Hi, You only need to trust the CA's root certificate. When you receive your signed certificate you also receive the whole chain up to the root certificate. When validating your certificate the whole chain will be checked, up to the root certificate. If the root certificate is trusted then the whole chain will be trusted (unless, of course, any of the certificates has been revoked). That's the whole idea about PKI: you don't have to trust everybody, you trust the CA. If a whole organization is no longer trusted then the parent certificate of it's chain can be revoked, invalidating all certificates down the chain. Roger A. Grimes wrote:
First, thanks to everyone who responded to my last question regarding PKI. (The answer to that one was that yes, both public and private keys can
encrypt and decrypt (with most popular PKI protocols); but who encrypts and decrypts depends on whether you are signing or encrypting...but yes, the private key can encrypt. Thank you all.) New question: When I recieve a digital certificate, do I (or my browser) have to trust every PKI CA in the tree of trust heading all the way back up to the root CA, or just the closest CA to me in the chain of trust? I'm guessing it's the latter.
-- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Another basic PKI question Roger A. Grimes (Oct 14)
- Re: Another basic PKI question Jon Barber (Oct 14)
- RE: Another basic PKI question David Gillett (Oct 14)
- Re: Another basic PKI question Francisco Andrades (Oct 14)
- RE: Another basic PKI question Ronald Kiss (Oct 15)
- <Possible follow-ups>
- RE: Another basic PKI question Hols, Albert (Oct 14)