You are here

Verisign

Fraudulent Public-Key Certificates

We rely on public-key cryptography to authenticate software we download from the Internet, like software updates, some Web-based software, and many device drivers. When we try to install or run such software, the system may automatically check the signature and warn us if it is missing or suspect. The system checks the signature by referring to a public-key certificate associated with the vendor who signed the software.

So what happens if the public-key certificate is fraudulent?

For that matter, what makes a certificate fraudulent, and how would such a thing arise?

A certificate is fraudulent if the name it carries does not accurately reflect the person or entity that actually controls the associated public/private crypto keys. And yes, there have been several cases of fraudulent public-key certificates.

Post category: 

OpenID Delegation on WordPress

Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for "works every time" OpenID delegation with their free PIP service. First, what is OpenID delegation?

Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use http://www.cryptosmith.com/ to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.

Post category: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer