Self-signed certificate

Self-signed certificate

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy.

In typical public key infrastructure arrangements, that a particular public key certificate is valid (i.e., contains correct information) is attested by a digital signature from a certificate authority (CA). Users, or their software on their behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate. Since CA certificates are often signed by other, "higher ranking," CAs, there must necessarily be a highest CA, which provides the ultimate in attestation authority in that particular PKI scheme.

Obviously, the highest-ranking CA's certificate can't be attested by some other higher CA (there being none), and so that certificate can only be "self-signed." Such certificates are also termed root certificates. Clearly, the lack of mistakes or corruption in the issuance of such certificates is critical to the operation of its associated PKI; they should be, and generally are, issued with great care.

In a web of trust certificate scheme there is no central CA, and so identity certificates for each user can be self-signed. In this case, however, it is additional signatures from other users which are evaluated to determine whether a certificate should be accepted as correct. So, if users Bob, Carol, and Edward have signed Alice's certificate, user David may decide to trust that the public key in the certificate is Alice's (all these worthies having agreed by their signatures on that claim). But, if only user Bob has signed, David might (based on his knowledge of Bob) decide to take additional steps in evaluating Alice's certificate. On the other hand, Edward's signature alone on the certificate may by itself be enough for David to trust that he has Alice's public key (Edward being known to David to be a reliably careful and trustworthy person). There is of course, a potentially difficult regression here, as how can David know that Bob, Carol, Ted, or Edward have signed any certificate at all unless he knows their public keys (which of course came to him in some sort of certificate)? In the case of a small group of users who know one another in advance and can meet in person (e.g., a family), users can sign one another's certificates when they meet as a group, but this solution does not scale to larger settings. This problem is solved by fiat in X.509 PKI schemes as one believes (i.e., trusts) the root certificate by definition. The problem of trusting certificates is real in both approaches, but less easily lost track of by users in a Web of Trust scheme.

ee also

* Web of trust
* Digital signature
* Characters in cryptography

Terminology

;C:Country;CA:Certificate authority;CN:Common Name;CSR:Certificate signing request;DER:Distinguished Encoding Rules;O:Organization;OU:Organizational Unit


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Public key certificate — Diagram of an example usage of digital certificate In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind a public key with an… …   Wikipedia

  • Root certificate — In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure… …   Wikipedia

  • Certificate authority — In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others… …   Wikipedia

  • Tiananmen Square self-immolation incident — The Tiananmen Square self immolation incident took place on 23 January 2001. Five people attempted to set themselves on fire in Tiananmen Square, Beijing. Within hours, the news was publicised by China Central Television (CCTV), who claimed the… …   Wikipedia

  • Https — Hypertext Transfer Protocol over Secure Socket Layer or HTTPS is a URI scheme used to indicate a secure HTTP connection. It is syntactically identical to the http:// scheme normally used for accessing resources using HTTP. Using an https: URL… …   Wikipedia

  • Opportunistic encryption — (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre arrangement between the two systems. Opportunistic …   Wikipedia

  • X.509 — In cryptography, X.509 is an ITU T standard for a public key infrastructure (PKI) for single sign on and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate… …   Wikipedia

  • CAcert.org — is a community driven certificate authority that issues free public key certificates to the public [ [https://www.cacert.org/index.php?id=12 About CAcert] ] (unlike other certificate authorities which are commercial and sell certificates). CAcert …   Wikipedia

  • Obfuscated TCP — (ObsTCP) was a proposal for a transport layer protocol which implements opportunistic encryption over TCP. It was designed to prevent mass wiretapping and malicious corruption of TCP traffic on the internet, with lower implementation cost and… …   Wikipedia

  • Public key fingerprint — In public key cryptography, a public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”