Certificates

Certificates are essential ingredients in a public-key infrastructure. A certificate is a special kind of digital document that establishes a connection between you and your public key. It does this by being digitally "signed" by a trusted third party, sort of like a digital notary. If you or your software are presented with a certificate that is signed by a "certificate authority" you deem trustworthy, it is like having someone you know introduce a new acquaintance: "Susan, I'd like you to meet John."

Without establishing this kind of trust relationship, a criminal could attempt to steal your identity by distributing his or her own public key and asserting that it was yours. A digital certificate binds you to your public key.

You obtain a certificate by applying to a certificate authority (CA). Once the CA verifies you are who you say you are, it creates a certificate--a digital document--for you. The certificate contains:

• A name that is unique to you
• The length of time the certificate is valid
• Your public key
• Your key's purpose: to sign messages or to encrypt data

Trust plays an important role in any public-key technology. How much weight a certificate carries depends on the type of authentication information that was required by the CA before issuing the certificate.

Certificates are used by many Web sites to authenticate their Web server to your browser. They can also be used to authenticate the client to the server.

Web browsers are shipped with a list of trusted CAs, including companies like Thawte Consulting and VeriSign, Inc.. Additionally, the UW has its own CA, known as the UW Services Certificate Authority ("UW Services CA" for short), which issues digital certificates for UW services. You can install the UW services CA certificate in your browser to allow you to use secure UW Web sites with certificates issued by the UW Services CA without warning messages.

In order for the UW to manage certificates with the widest range of applicability, we will have to take care of:

• Production and maintenance of a very large standards-based directory
• Support for a highly distributed computing environment
• Methodologies supporting transparent access by applications
• Private and public key storage and access issues
• Incompatibility of browser vendors' certificate formats

Additionally, in order to become a certificate-issuing authority, UW is forced to deal with additional issues such as:

• Maintenance of a certificate repository
• Methodology for verifying individuals and departments
• Management of certificate revocation lists (CRLs)
• Renewal of key pairs and certificates
• Support for trust relationships with other certificate authorities

Certificates may be used to establish the identity of an individual, or of a computer. The UW is currently using certificates for central Web servers so that they can establish secure communication links with Web clients.

UW Technology
Contact Us
Modified: January 5, 2007