Talk:Certificate authority

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Cryptography / Computer science  (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the quality scale.
 High  This article has been rated as High-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as High-importance).
 
WikiProject Computer Security / Computing  (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
edit·history·watch·refresh Stock post message.svg To-do list for Certificate authority:
  • Provide a sample of Certification Service Providers (CSP) such as:
Austria: A-Trust
Belgium: Certipost
Brasil: Unicert
France: Keynectis, Certinomis
Germany: TC-Trustcenter, Telekom, Deutsche Post
Holland: DigiNotar, QuoVadis
Hong Kong: Digisign, Hongkong Post
India: Tata
Italy: Postecert, Actalis
Poland: Certum
Spain: Catcert, Izenpe, ACCV, IPSca (acronyms are discourages in Wikipedia)
Switzerland: QuoVadis (also Bermuda), Swisscom, Swisssign
Tunisia: ANCE (acronyms are discourages in Wikipedia)
UAE: Etisalat
UK: Trustis

-- Cryptoki 01:25, 21 February 2007 (UTC)

  • Identify what a list of web browser trusted authorities is, what it does, who maintains it, who uses it, and examples of who is on this list. Stephen Charles Thompson (talk) 00:27, 18 October 2008 (UTC)
  • Mightn't it be better to create a comparison of (notable) CAs, with columns for: "trusted by (latest version of Firefox, IE, Safari, etc)", "EV available?", "Wildcard available?", and other useful criteria? zazpot (talk) 16:27, 1 January 2009 (UTC)
  • How about this, for instance? zazpot (talk) 18:52, 1 January 2009 (UTC)

Example section[edit]

I understand that provided usage example tried to explain topic in layman's terms, but it shouldn't be done at expense of accuracy. In current state it is factually wrong, public keys are not received "along with all the data that his web-browser displays"; public/private key are not used to encrypt client data, instead they used to securely establish joint shared secret, which in turned used to encrypt application data both ways with symmetric key cipher. Besides, this sample usage doesn't really belong to CA article even if described correctly. — Preceding unsigned comment added by 60.241.87.202 (talk) 14:41, 4 October 2012 (UTC)

The first CA[edit]

Who was the first commercial CA?

RSA Certificate Services which was spun out as VeriSign Inc. --66.31.35.185 16:56, 14 March 2006 (UTC)
Great! Now put it in the article. Stephen Charles Thompson (talk) 00:29, 18 October 2008 (UTC)
Nope, the Entrust CA 1.0, released in 1994, was the first commercial CA product.

Trust of a CA[edit]

Should there not be some discussion and references to the methods involved in developing a third party trust particular to the Certificate Authority/PKI technology and industry?

http://www.ietf.org/rfc/rfc3647.txt
Internet Engineering Task Force IETF RFC3647
November 2003M

"This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527."


http://webstore.ansi.org/ansidocstore/product.asp?sku=ANSI+X9.79%3A2001
American National Standards Institute ANSI X9.79:2001
2001

"Defines the components of a PKI and sets a framework of practices and policy requirements for a PKI. The standard draws a distinction between PKI systems used in open, closed and network environments. It further defines the operational practices relative to industry accepted information systems control objectives. PKI practices implementing this standard can support multiple policies that incorporate the use of digital signature technology. This standard allows for the implementation of operational, baseline PKI practices that satisfy industry accepted information systems control objectives."


http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc
AICPA/CICA Web Trust Program for Certificate Authorities Version 1.0
American Institute of Certified Public Accountants/
Canadian Institute of Chartered Accountants
August 25, 2000

"This document provides a framework for licensed WebTrust® practitioners to assess the adequacy and effectiveness of the controls employed by certification authorities (CAs)." (p12!)


http://www.ietf.org/rfc/rfc2527.txt
Internet Engineering Task Force IETF RFC2527
March 1999

"This document presents a framework to assist the writers of certificate policies or certification practice statements for certification authorities and public key infrastructures. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy definition or a certification practice statement."

Requested move[edit]

While "certificate authority" is common, "certification authority" is the more correct (cf. "registration authority", not "register authority"). "Certification authority" is the term standardized by X.509. --Ant 09:38, 8 January 2007 (UTC)

509 is increasingly irrelevant to real world practice. And in the case of hte English terms here, certificate is a thing (though abstact) which is issued by some entity (the authority). That entity does not do certification in some even more abstract sense. I would retain the usual usage here for that reason, as well as for the reason of usual usuage. Disagree. ww 00:42, 9 January 2007 (UTC)
As there does not appear to be consensus for the renaming, I'm delisting the request from WP:RM. -GTBacchus(talk) 00:37, 15 January 2007 (UTC)
May I suggest a REDIRECT for the suggested "certification authority" to point to the current article title? These notes would be well placed on the talk page of that REDIRECT. Stephen Charles Thompson (talk) 00:32, 18 October 2008 (UTC)
This really shouldn't be about consensus - it's about what Wikipedia is and what it's used for. Were I to use this article as a springboard to do further research, say in ISO/ITU, IETF, CA/Browser Forum, or any other authoritative, industry respected area, I would encounter the term "certification authority". It's the one that is defined in X.509 (saying X.509 is irrelevant is like saying dirt is irrelevant because I buy my produce from a market). Certainly one hears "certificate authority" used colloquially - and that term should be redirected to an article titled "certification authority" for the convenience of those who have only heard of the topic in casual spoken or written conversation. But to use the non-authoritative term makes Wikipedia look uninformed. It would make a reader like me infer that Wikipedia is not a starting point for serious research. This is not a religious argument, or about what is more "right" - it's about what you want Wikipedia to be. Bergtau (talk) 04:56, 6 December 2012 (UTC)

Alice, Bob and Mallory[edit]

It says "Bob can be tricked into accepting a forged signatures from Alice", but Alice is the good girl here, so I would recommend to change "apparently from Alice". -- Mtodorov 69 10:31, 14 May 2007 (UTC)

Good attention to semantics. I will make this change. Stephen Charles Thompson (talk) 00:35, 18 October 2008 (UTC)

Mallory's gender[edit]

I notice there's been a series of edits (1, 2, 3) changing Mallory's gender. The Wikipedia article on the topic doesn't specify a gender for Mallory, though. I don't think the gender's terribly important, and it would be nice if editors would direct their attention to parts of the article in greater need of improvement. zazpot (talk) 20:45, 24 February 2009 (UTC)

Market share[edit]

The bit about April 2007 market shares has Network Solutions separated from "VeriSign and its acquisitions," but the VeriSign article says that Network Solutions was acquired by VeriSign in 2000. Can someone clarify or verify?

-- Verisign bought Network Solutions in 2000 for $15 billion in stock. It sold Network Solutions' internet registrar business in 2003 to Pivotal Private Equity for $100 million (retaining exclusive control of the registry business). --Cryptoki 16:18, 7 June 2007 (UTC)

The Security Share link goes to a page that requires registration. Is there a freely available source for the information instead? If not, I think the link should be deleted as per Wikipedia:External_links#Sites_requiring_registration 67.43.134.60 (talk) 01:00, 11 April 2008 (UTC)

Expiration Dates[edit]

Any comment on how the sole purpose of a certificate expiring is to make CAs more money? I don't have a problem with losing the ability to sign an applet after two years, but those applets that I have signed, what makes them not secure anymore simply because a date has passed? --npapadon 16:58, 1 Dec 2008 (UTC)

It creates a narrower time window in which the key is vulnerable to brute force attacks. Two years is acceptable because it is unreasonable to be cracked in that time, while not being too much of a nuisance to certificate owners. As vulnerabilities in the architecture are corrected and security is improved, a time limit also helps to cycle out keys that may have been generated with less-secure or compromised keys/algorithms.74.9.98.150 (talk) 21:56, 9 July 2010 (UTC)
Not too much of a nuisance? For site SSL certificates, perhaps. For signed code, the model is not really right - but that is another topic. pbannister (talk) 23:35, 19 January 2011 (UTC)

security[edit]

there needs to be a security section which covers:

  • how this CA thing works
  • what hacks exist against it's security:
http://blogs.zdnet.com/security/?p=2339
  • how this chain of trust works
    • every trust center (CA) can issue a cert for any domain, there is no hierarchy but a flat hierarchy meaning there is no single root CA but many CAs which are included into a browser by trust centers
  • how browsers implement the client side
    • which CAs are included in the distribution of the browser
    • how cert revocation works
    • how usability is optimized to make the weakest part (the user) not even weaker
    • a list of legendary browser issues as:
      • there was some ssl weakness in IE some time ago, can't find it right now
  • what other use cases than browsers today exist:
    • using ssl in EAP
    • using ssl as a library for any kind of application

--134.2.186.8 (talk) 10:56, 4 July 2009 (UTC)

Subversion of CA is confusing, yep[edit]

It's confusing in basic sentence structure and flow. Here's how:

  Mallory (using the Alice and Bob convention), manages to get a CA to:
   1) issue a false certificate tying Alice to the wrong public key with the corresponding private key being known to Mallory. this allows Mallory to receive confidential messages meant for Alice.
   2) issue a certificate and private key to Mallory that contains elements of Alice's identity, allowing similar subversions of confidentiality; "

are 1) and 2) AND conditions or are they OR conditions for the subversion to succeed?

 Then if Bob subsequently obtains such a certificate..."

which certificate, 1) or 2)?

Also for 1), does "tying alice to the wrong public key" mean, essentially, that Mallory represented himself as Alice (or an agent acting for Alice?). If so, wouldn't it be better to state it as "1) Mallory impersonates Alice and gets the CA to issue him a certificate that purports to represent Alice. This allows..." But then, if that's a correct rephrasing of 1), I don't understand what the difference is between 1 and 2. Leotohill (talk) 01:50, 3 December 2008 (UTC)

I agree it is a bit confusing. I think the two bullets in the article are meant to list two ways to trick the CA, either of which will allow Mallory to do bad things. I can think of a few scenarios, and I'm not sure which of these the bullets are meant to describe:
  1. Mallory gets the CA to associate Alice's name and true identity information (perhaps an email address) with a private key that is known only to Mallory. Mallory then intercepts any messages using that key, reads them, responds to them, and makes sure they never reach Alice.
  2. Mallory gets the CA to associate Alice's name and false identity information (perhaps an email address) with a private key that is known only to Mallory. Messages intended for Alice are delivered to Mallory's email address, and read and responded to by Mallory. --Gerry Ashton (talk) 02:47, 3 December 2008 (UTC)
Thanks, Gerry. It's good to know that I'm not the only one who finds it confusing.
From your explanation, it seems that the only difference is that in the first case the certificate holds Alice's email address, and in the second case it holds Mallory's. I think that it isn't helpful to have these two examples that differ in this way. I propose to reduce it to one example case, with followup narrative that may mention other possibilities. I'll make that change after I've waited a bit for other comments here.
BTW, you meant to say private key, not public key, right? Leotohill (talk) 02:57, 3 December 2008 (UTC)
ok, I've made a substantial edit, and added a real-world example case. Leotohill (talk) 03:41, 3 December 2008 (UTC)


Mozilla moved its CA page[edit]

I did a small update of URLs to make them point to the new page where Mozilla lists its builtin CAs. — Preceding unsigned comment added by Espadrine (talkcontribs) 12:25, 25 August 2011 (UTC)

How can we tell this is posted by Mozilla? It seems quite surprising, considering all the resources available to Mozilla, that they would post anything worth mentioning on Google docs. Jc3s5h (talk) 13:16, 25 August 2011 (UTC)

History ???[edit]

Who invented the idea of certificates? In what year, and after what discussions? When and why did net-creating org's accept them, and after what discussions? How were they established as the basis of trust in the WWW? Who made those decisions? What are the names of the first CA's, and what are the practical and legal requirements of becoming a CA? Who regulates them? What did the original CA's need to do to establish the trust of customers, net creators, governments and regulatory authorities?
(Some of these questions may be answered in the article; I'm only trying to point out that while the article looks clear about -what exists-, it's unclear why they have any authority or deserve any trust.) Twang (talk) 19:45, 20 September 2011 (UTC)

Citations[edit]

The first citations were introduced in this version of the article in December 2008. The date format was YYYY-MM-DD and citation templates were used. Jc3s5h (talk) 10:45, 23 May 2012 (UTC)

remove warning[edit]

I think we should remove the warning in the "Issuing a certificate" section as I see nothing on this talk page explaining what needs to be done. Eiler7 (talk) 15:59, 2 September 2012 (UTC)

Fair point. I've replaced it with a norefs|section warning. zazpot (talk) 15:10, 3 September 2012 (UTC)

This article is all detail and no over-view.[edit]

I have not been able to find out, on the net, the answer to this simple question that a wikipedia article should answer: does this business with CA's and root certification have anything at all to do with the average user browsing the internet, or does it only apply to computer experts who are sending and receiving encrypted messages? A wikipedia article should start right off explaining when and where the CAs apply.77Mike77 (talk) 15:51, 14 November 2013 (UTC)

Commercial vocation of CAs[edit]

The definition says "Commercial CAs [...] issue certificates that will automatically be trusted by most web browsers". The statement is currently true, but it implies that non-profit CAs like CAcert will never make it into mainstream, a somewhat annoying concept. It is also true that the boost of certification occurred after Internet commerce. However, I would not define cryptography as a commercially-oriented discipline.

Browsers are highly generic applications, so it is difficult to tell whether online commerce is their main job. Mail clients and VPNs seem to be somewhat more restricted in scope. The article silently assumes that certificates good for browsers are also good for any other application. If that is correct, it should be explained.

Finally, a site which uses self-signed certificates is obviously acting as its own CA. There is no mention of this.

I'll try and amend the definition as soon as I'm inspired enough... ale (talk) 16:21, 20 December 2013 (UTC)