0

PKI Question

I am trying to learn about Public Key Infrastructure (PKI). I read the following example from a book for how two users can participate in a PKI. The only part I do not understand is step #10 "When Diane receives John’s certificate, her browser looks to see if it trusts the CA that digitally signed this certificate. Diane’s browser trusts this CA and, after she verifies the certificate, both John and Diane can communicate using encryption.". What is a real world example of how Diane's browser looks to see if it trusts the CA? I thought Diane would only be accessing a web server through her browser not an end user like John.

PKI Example from Book

Now that the fundamentals of PKI are understood, let’s walk through an example. Suppose John needs to obtain a digital certificate for himself so he can participate in a PKI. The following are the steps to do so:

  1. John makes a request to the RA.
  2. The RA requests certain identification information from John, such as a copy of his driver’s license, his phone number, his address, and other identifying information.
  3. Once the RA receives the required information from John and verifies it, the RA sends his certificate request to the CA.
  4. The CA creates a certificate with John’s public key and identity information embedded. (The private/public key pair is generated either by the CA or on John’s machine, which depends on the systems’ configurations. If it is created at the CA, his private key needs to be sent to him by secure means. In most cases, the user generates this pair and sends in his public key during the registration process.
  5. Now John is registered and can participate in a PKI.
  6. John and Diane decide they want to communicate, so they take the following steps.
  7. John requests Diane’s public key from a public directory.
  8. The directory, sometimes called a repository, sends Diane’s digital certificate.
  9. John verifies the digital certificate and extracts his public key. John uses this public key to encrypt a session key that will be used to encrypt their messages. John sends the encrypted session key to Diane. John also sends his certificate, containing his public key, to Diane.
  10. When Diane receives John’s certificate, her browser looks to see if it trusts the CA that digitally signed this certificate. Diane’s browser trusts this CA and, after she verifies the certificate, both John and Diane can communicate using encryption.
cleancutguy
  • 9
  • 1
  • The browser looks to see if it trusts the CA by looking at its list of trusted CAs. It doesn't go anywhere else. "I got this note from John, and it is certified by this authority to be from John. Do I trust this authority to be telling me the truth? Let me check the list I keep of trusted authorities to see." – Ken White May 02 '14 at 23:02
  • I understand that. What I do not understand is what specific example would I be using a browser to talk to Diane for? Gmail? Instant messenger in a browser? – cleancutguy May 03 '14 at 23:46
  • The browser "talks to Diane" by **allowing** the communication if the certificate is trusted. If it isn't, it tells Diane by not allowing the communication. What part of that is not clear? "Diane doesn't know me, but I want to talk to her. Pete says I'm OK. Here's a note from him that says so." "Well, I don't know Pete, so what he says doesn't really matter. I'm not letting you talk to Diane even with that note." – Ken White May 04 '14 at 03:06
  • Firefox and IE handle this by presenting a dialog to the user that says "This site claims to be certified, but I don't recognize the certificate. What do you want me to do - allow it once, don't allow it, or add this authority to my list?" The presentation of the dialog is one way that the browser "talks to Diane". Have you really never experienced this yourself? – Ken White May 04 '14 at 03:41
  • Ok. That's what I'm getting at. The original example from the book talks about John but in reality John is really a website (webserver with a certificate). – cleancutguy May 05 '14 at 03:51
  • 1
    This question probably belongs on another site in the Stack Exchange network. Perhaps [Information Security Stack Exchange](https://security.stackexchange.com/). – jww May 07 '14 at 14:36

0 Answers0