Manualshelf

iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
411412413414415416417418419420
Security Concepts
iTP Secure WebServer System Administrator’s Guide—523346-002
D-6
Using Certificates
Using Certificates
Public key certificates generate confidence in the legitimacy of the public keys to which
the certificates are bound. Recipients of these certificates can use them to verify not
only the signature of the certificate owner but also the certificate itself. This level of
verification strongly ensures against any possibility of forgery or false representation.
Two or more certificates may be enclosed with the same message such that one
certificate testifies to the authenticity of the previous certificate. Such a hierarchy of
authentication is called the certificate chain. At the end of such a chain is a top-level
CA that is trusted without a certificate from any other CA (see Figure D-3 below).
The most secure form of authentication involves enclosing multiple public key
certificates with every signed message sent. However, the more familiar the sender is
(or becomes) to the receiver of a message, the less need there is to enclose multiple
certificates. For example, Juliet might send Romeo multiple certificates with her first
message to him but only a single certificate thereafter, after Romeo has had a chance
to verify all the certificates accompanying her first message.
The best practice is probably to enclose a certificate chain of sufficient length so that
the issuer of the highest-level certificate in the chain is well-known to the receiver.
In accordance with the Public Key Certificate Standards (PKCS), every signature
points to a certificate that validates the public key of the signer. In other words, each
signature contains the name of the issuer of the certificate and the serial number of the
certificate. Thus, even if no certificates are enclosed with a message, a verifier can still
use the certificate chain to check the status of the public key.
Figure D-3. Certificate Chain
CDT010.CDD
CA
Sender
Receiver
CA CA
Top Level (Trusted) CA