At 3:29 PM 9/20/93 -0400, peace(_at_)bix(_dot_)com wrote:
John Lowry> A certificate is an assertion of a binding between an identity
(in the form of a DN) and a public key. The purpose of PCAs and their
policies is to help establish how much faith to place in the veracity of
the stated identity.
...
While I agree with the statment, I would like to know what authority you
have to make it. I have unsuccessfully looked for such a definition of
purpose in both the CCITT and internet documents. Any help here would be
appreciated.
Perhaps you have not looked seriously. This took me less then 60 seconds
to find using a search command:
Briefly, a (public-key) certificate is a data structure which
contains the name of a user (the "subject"), the public component
(This document adopts the terms "private component" and "public
component" to refer to the quantities which are, respectively, kept
secret and made publicly available in asymmetric cryptosystems. This
convention is adopted to avoid possible confusion arising from use of
the term "secret key" to refer to either the former quantity or to a
key in a symmetric cryptosystem.) of that user, and the name of an
entity (the "issuer") which vouches that the public component is
************************************
bound to the named user. This data, along with a time interval over
************************
which the binding is claimed to be valid, is cryptographically signed
by the issuer using the issuer's private component. The subject and
issuer names in certificates are Distinguished Names (DNs) as defined
in the directory system (X.500).
Kent [Page 3]
-------------------
The next search on "bound" took only a few seconds more.
-------------------
signature, as described in RFC 1424.) The CA will employ some means,
specified by the CA in accordance with the policy of its PCA, to
validate the user's claimed identity and to ensure that the public
component provided is associated with the user whose distinguished
name is to be bound into the certificate. (In the case of PERSONA
*****
certificates, described below, the procedure is a bit different.) The
certifying authority generates a certificate containing the user's
distinguished name and public component, the authority's
Kent [Page 11]
------------------
Now, why don't you try a few lookups yourself!
Regards, -Rob-
Robert W. Shirey, The MITRE Corporation, Mail Stop Z202
7525 Colshire Drive, McLean, Virginia 22102-3481 USA
shirey(_at_)mitre(_dot_)org * tel 703.883.7210 * fax 703.883.1397