Public key infrastructure (PKI) is an excellent technology to help users certify that the people or companies they are corresponding with are who they say they are. It has proven itself invaluable in e-commerce among other areas. As with any technology, however, it is not without its own security risks. Eliana Stavrou discusses these risks, and ways to minimize them.
Although PKI aims to achieve a level of trust between individuals, issues such as inappropriate verification of trust procedures on behalf of the Certification Authority, and insecure configurations of the users’ computers, can lead users to question the trust relationships they have with each other.
It is a big responsibility on behalf of a CA to certify the trustworthiness of the entities requesting a digital certificate. How can you be sure that the CA has appropriate and strong procedures to verify that the requester is who he or she claims to be? What if someone tricks the CA into issuing him or her a digital certificate based on fake personal information? What if a user’s private key is stolen and he or she has not discovered and reported it in order for the certificate to be revoked? Simply put, you cannot be sure!
In addition to verifying the trustworthiness of the holders of a digital certificate, we have the issue of trusting the actual CA. How can we be sure that the CA has the appropriate resources, such as trusted personnel and a secure infrastructure? It is meaningless to trust a CA to issue certificates when physical security is absent and anyone can have access to the CA server and retrieve confidential information.
How to minimize the risk: Not everyone who possesses a digital certificate is actually trustable. Learn to be cautious in order to avoid future problems. When you receive a message signed by an individual, take a few moments to read the information contained on the digital certificate and then decide if you are going to trust the person who has sent it. You should consider these questions: “Do I know the person who owns the digital certificate?”, “Does the digital certificate have a valid expiration date?”, and “Is the digital certificate issued by an authority I already trust?”