iTP Secure WebServer System Administrator's Guide (Version 7.0)

ManualsBrandsHP ManualsServerHP NonStop G-Series

411

412

413

414

415

416

417

418

419

420

Security Concepts

iTP Secure WebServer System Administrator’s Guide—523346-012

D-7

Obtaining Certificates

In accordance with the Public Key Certificate Standards (PKCS), every signature

points to a certificate that validates the public key of the signer. In other words, each

signature contains the name of the issuer of the certificate and the serial number of the

certificate. Therefore, even if no certificates are enclosed with a message, a verifier

can still use the certificate chain to check the status of the public key.

Obtaining Certificates

To obtain a public key certificate, Juliet first generates her own key pair. She then

sends the public key part of her key pair to an appropriate CA, along with convincing

proof of her identity. After validating Juliet’s identity, the CA sends Juliet a certificate

attesting to the binding between Juliet Capulet and her public key. It also sends her a

certificate chain verifying the CA’s own public key. As discussed in Using Certificates

on page D-6, Juliet can now use her certificate and inherited chain to demonstrate the

legitimacy of her public key.

CAs require varying forms of proof for verifying an applicant’s identity. One CA might

require a driver’s license, another might require notarization of the certificate request

form, yet another might require fingerprints. The Apple Computer Open Collaborative

Environment (OCE), for example, requires that the certificate request form be

notarized.

Secure Sockets Layer (SSL)

This subsection describes:

•

What SSL Does

•

SSL 3.0 Protocol Enhancements Over SSL 2.0 on page D-8

•

Deploying SSL on page D-8

What SSL Does

The Secure Sockets Layer (SSL) protocol provides channel security for all

communications between a Web client and a server during any session for which SSL

is operative.

SSL provides the following types of security between a Web client and a server:

Private After a simple handshake to define a secret key, all messages

between the Web client and server are encrypted.

Authenticated The server is always authenticated with its public key certificate.

The Web client is optionally authenticated to the server.

Reliable The message transport uses a message authentication code

(MAC) to check that messages are not modified in transit.