iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)
Security Concepts
iTP Secure WebServer System Administrator’s Guide—522659-001
D-7
Obtaining Certificates
Obtaining Certificates
To obtain a public key certificate, Juliet first generates her own key pair. She then sends
the public key part of her key pair to an appropriate CA, along with convincing proof of
her identity. After validating Juliet’s identity, the CA sends Juliet a certificate attesting to
the binding between Juliet Capulet and her public key. It also sends her a certificate
chain verifying the CA’s own public key. As discussed in Using Certificates
on
page D-6, Juliet can now use her certificate and inherited chain to demonstrate the
legitimacy of her public key.
CAs require varying forms of proof for verifying an applicant’s identity. One CA may
require a driver’s license, another may require notarization of the certificate request
form, yet another may require fingerprints. The Apple Computer Open Collaborative
Environment (OCE), for example, requires that the certificate request form be notarized.
Secure Sockets Layer (SSL)
This section introduces the Secure Sockets Layer (SSL). It describes the following
topics:
•
What SSL Does (See below)
•
SSL 3.0 Protocol Enhancements Over SSL 2.0 (See page D-8)
•
Deploying SSL (See page D-8)
What SSL Does
The Secure Sockets Layer (SSL) protocol provides channel security for all
communications between a web client and a server during any session for which SSL is
operative.
SSL provides the following types of security between a web client and a server:
Because SSL and HTTP are different protocols and typically use different port numbers
(such as 443 and 80, respectively), the iTP Secure WebServer can handle secure and
standard clients simultaneously. This means that some information can be provided to
users in unencrypted form while other information can be provided only in encrypted
form.
Private After a simple handshake to define a secret key, all messages
between the web client and server are encrypted.
Authenticated The server is always authenticated with its public key certificate.
The web client is optionally authenticated to the server.
Reliable The message transport uses a message authentication code
(MAC) to ensure that messages are not modified in transit.