You are here

public-key certificates

Fraudulent Public-Key Certificates

We rely on public-key cryptography to authenticate software we download from the Internet, like software updates, some Web-based software, and many device drivers. When we try to install or run such software, the system may automatically check the signature and warn us if it is missing or suspect. The system checks the signature by referring to a public-key certificate associated with the vendor who signed the software.

So what happens if the public-key certificate is fraudulent?

For that matter, what makes a certificate fraudulent, and how would such a thing arise?

A certificate is fraudulent if the name it carries does not accurately reflect the person or entity that actually controls the associated public/private crypto keys. And yes, there have been several cases of fraudulent public-key certificates.

Post category: 

"Design Patterns" for Identity Systems

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.

There are four patterns: local, direct, indirect, and off-line.

Post category: 

Penalizing Unauthenticated SSL Certificates

Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site's crypto credentials have not been countersigned by a recognized certificate authority.

In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.

This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can't verify a site's identity - that's what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it.

Post category: 

SSL Site "Seal"

As noted earlier, I'm now using SSL to secure parts of my site. I used to have arrangements like that at, my old ISP, but I'm making better use of it with WordPress and such.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer