– Certificate authority or CA in short is the entity that is responsible for issuing the digital certificates to the users.
– CA is an important part of the cryptography.
– The purpose of a digital certificate is to verify the identity of the owner of the public key by means of the named subject.
– This makes it easy for the other users i.e., the parties that have to reply easy to rely up on these assertions or we can say signatures made by the private belonging to the certified public key.
– This model is called the model of trusts relationships.
– Here, other than the two involved parties, the third trusted party if the certificate authority itself which both the parties trust.
– Certificate authority is counted among the characteristics of a number of PKI (public key infrastructure) schemes.
– Commercial CA offer the certificate services on a certain charge so that it gains more trust by a number of web browsers.
– Ubiquity is the name that has been given to the number of devices and web browsers and web browser applications trusting a particular CA.
– Apart from the commercial certificate authorities, a number of CAs issue certificates at free of cost.
– On the other hand, some government companies and other large institutions and organizations keep a certificate authority of their own.
– The commercial certificate authorities make use of “domain validation” technique for issuing certificates in bulk to the clients for public HTTP servers and email servers.
– This technique is used for the authentication of the receiver of the certificate.
– In this technique, an email is sent to the email address related to administration services of the domain consisting of an authentication link or token.
– The address could be of the technical contact as listed in the WHOIS entry of the domain.
– The basic idea behind the technique of domain validation is that only the one who is the legitimate owner of the domain can read the emails sent to its administrative addresses.
– However, there are certain structure limitations of the security of the domain validation.
– It is quite vulnerable to such attacks where the adversary is allowed to see what all validation emails are being sent by CA.
– These attacks may be on TCP, BGP or DNS protocols.
– These are class of protocols which do not have any TLS/ SSL cryptography protection.
– These attacks may even tease the routers.
– These attacks can happen at two places i.e., either near the victim i.e., the domain to be attacked or near a certificate authority.
– Extended validation or EV is another featured offered by some of the certification authorities.
– This is actually an alternative to the domain validation technique where it does not seem to work.
– However, even extended validation suffers from a limitation which is that the domain validated certificated can be obtained by the attacker that was meant for the victim domain and can be used during the attack.
– If such an attack happens, the green address bar will change to a blue one.
– This color change of the HTTP address bar sometimes may also indicate that an attack is taking place.
– Implementations of the domain validation also serve as a source for the security vulnerabilities.
– A variety of standards are used by the certification authority for issuing the certificates and verifying them.
– There are various problems that occur while assuring that the entity and data match with each other correctly.
– It is the duty of the CA to look about these problems.
This is why CA often makes use of a combination of authentication techniques such as the following:
- Leveraging govt. bureaus
- Payment infrastructure
- Database and services of the third party
- Custom heuristics
– There are some of the systems where local authentication methods (for example, Kerberos) might be used for obtaining a certificate to be used by the external parties.
– In few cases, notaries might be required in order to know about the party whose signature has been notarized.