Home arrow Security arrow Page 2 - PKI: Looking at the Risks

Trust establishment - Security

Public key infrastructure (PKI) is an excellent technology to help users certify that the people or companies they are corresponding with are who they say they are. It has proven itself invaluable in e-commerce among other areas. As with any technology, however, it is not without its own security risks. Eliana Stavrou discusses these risks, and ways to minimize them.

TABLE OF CONTENTS:
  1. PKI: Looking at the Risks
  2. Trust establishment
  3. Private key protection
  4. CRL availability
  5. Key generation
  6. Legislation compliance
By: Eliana Stavrou
Rating: starstarstarstarstar / 9
January 24, 2005

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Although PKI aims to achieve a level of trust between individuals, issues such as inappropriate verification of trust procedures on behalf of the Certification Authority, and insecure configurations of the users’ computers, can lead users to question the trust relationships they have with each other.

It is a big responsibility on behalf of a CA to certify the trustworthiness of the entities requesting a digital certificate. How can you be sure that the CA has appropriate and strong procedures to verify that the requester is who he or she claims to be?  What if someone tricks the CA into issuing him or her a digital certificate based on fake personal information? What if a user’s private key is stolen and he or she has not discovered and reported it in order for the certificate to be revoked? Simply put, you cannot be sure!  

In addition to verifying the trustworthiness of the holders of a digital certificate, we have the issue of trusting the actual CA. How can we be sure that the CA has the appropriate resources, such as trusted personnel and a secure infrastructure? It is meaningless to trust a CA to issue certificates when physical security is absent and anyone can have access to the CA server and retrieve confidential information.

How to minimize the risk: Not everyone who possesses a digital certificate is actually trustable. Learn to be cautious in order to avoid future problems. When you receive a message signed by an individual, take a few moments to read the information contained on the digital certificate and then decide if you are going to trust the person who has sent it. You should consider these questions: “Do I know the person who owns the digital certificate?”, “Does the digital certificate have a valid expiration date?”, and “Is the digital certificate issued by an authority I already trust?”



 
 
>>> More Security Articles          >>> More By Eliana Stavrou
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: