Security Basics mailing list archives

RE: Another basic PKI question

From: "Ronald Kiss" <rkiss () sympatico ca>
Date: Tue, 14 Oct 2003 21:02:38 -0400

Hi,
You should also note that the security of the certificate chain depends
on how thorough and secure the validation check is. One assumes that a
higher-level CA has thoroughly checked and validated the identification
information of the certificate is signing. If for some reason this check
is shoddily done, then it calls into question the security of all the
certificates at the lower levels even if it is signed by its private
key. This can be seen in the VeriSign case, where it accidentally
created two certificates for Microsoft (to read the security bulletin go
to
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-017.asp). As a result, one should only trust the
certificate chain as far as they trust the validation procedure and the
integrity of the information.
Regards,
Ron

-----Original Message-----
From: Francisco Andrades [mailto:fandrades () nextj com] 
Sent: 14 October 2003 14:02
To: security-basics () securityfocus com
Subject: Re: Another basic PKI question


Hi,

You only need to trust the CA's root certificate. When you receive your 
signed certificate you also receive the whole chain up to the root 
certificate. When validating your certificate the whole chain will be 
checked, up to the root certificate. If the root certificate is trusted 
then the whole chain will be trusted (unless, of course, any of the 
certificates has been revoked).

That's the whole idea about PKI: you don't have to trust everybody, you 
trust the CA. If a whole organization is no longer trusted then the 
parent certificate of it's chain can be revoked, invalidating all 
certificates down the chain.

Roger A. Grimes wrote:

First, thanks to everyone who responded to my last question regarding 
PKI.

(The answer to that one was that yes, both public and private keys can

encrypt and decrypt (with most popular PKI protocols); but who 
encrypts and decrypts depends on whether you are signing or 
encrypting...but yes, the private key can encrypt.  Thank you all.)

New question:  When I recieve a digital certificate, do I (or my 
browser) have to trust every PKI CA in the tree of trust heading all 
the way back up to the root CA, or just the closest CA to me in the 
chain of trust?  I'm guessing it's the latter.


-- 
Francisco Andrades Grassi
www.nextj.com
Tlf: +58-414-125-7415


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Another basic PKI question Roger A. Grimes (Oct 14)
- Re: Another basic PKI question Jon Barber (Oct 14)
- RE: Another basic PKI question David Gillett (Oct 14)
- Re: Another basic PKI question Francisco Andrades (Oct 14)
  - RE: Another basic PKI question Ronald Kiss (Oct 15)
- <Possible follow-ups>
- RE: Another basic PKI question Hols, Albert (Oct 14)