Talk:Certificate authority

Latest comment: 3 years ago by Liam McM in topic Original research from W3Techs surveys

Example section

edit

I understand that provided usage example tried to explain topic in layman's terms, but it shouldn't be done at expense of accuracy. In current state it is factually wrong, public keys are not received "along with all the data that his web-browser displays"; public/private key are not used to encrypt client data, instead they used to securely establish joint shared secret, which in turned used to encrypt application data both ways with symmetric key cipher. Besides, this sample usage doesn't really belong to CA article even if described correctly. — Preceding unsigned comment added by 60.241.87.202 (talk) 14:41, 4 October 2012 (UTC)Reply

The first CA

edit

Who was the first commercial CA?

RSA Certificate Services which was spun out as VeriSign Inc. --66.31.35.185 16:56, 14 March 2006 (UTC)Reply
Great! Now put it in the article. Stephen Charles Thompson (talk) 00:29, 18 October 2008 (UTC)Reply
Nope, the Entrust CA 1.0, released in 1994, was the first commercial CA product.

Trust of a CA

edit

Should there not be some discussion and references to the methods involved in developing a third party trust particular to the Certificate Authority/PKI technology and industry?

http://www.ietf.org/rfc/rfc3647.txt
Internet Engineering Task Force IETF RFC3647
November 2003M

"This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527."


http://webstore.ansi.org/ansidocstore/product.asp?sku=ANSI+X9.79%3A2001
American National Standards Institute ANSI X9.79:2001
2001

"Defines the components of a PKI and sets a framework of practices and policy requirements for a PKI. The standard draws a distinction between PKI systems used in open, closed and network environments. It further defines the operational practices relative to industry accepted information systems control objectives. PKI practices implementing this standard can support multiple policies that incorporate the use of digital signature technology. This standard allows for the implementation of operational, baseline PKI practices that satisfy industry accepted information systems control objectives."


http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc
AICPA/CICA Web Trust Program for Certificate Authorities Version 1.0
American Institute of Certified Public Accountants/
Canadian Institute of Chartered Accountants
August 25, 2000

"This document provides a framework for licensed WebTrust® practitioners to assess the adequacy and effectiveness of the controls employed by certification authorities (CAs)." (p12!)


http://www.ietf.org/rfc/rfc2527.txt
Internet Engineering Task Force IETF RFC2527
March 1999

"This document presents a framework to assist the writers of certificate policies or certification practice statements for certification authorities and public key infrastructures. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy definition or a certification practice statement."

Requested move

edit

While "certificate authority" is common, "certification authority" is the more correct (cf. "registration authority", not "register authority"). "Certification authority" is the term standardized by X.509. --Ant 09:38, 8 January 2007 (UTC)Reply

509 is increasingly irrelevant to real world practice. And in the case of hte English terms here, certificate is a thing (though abstact) which is issued by some entity (the authority). That entity does not do certification in some even more abstract sense. I would retain the usual usage here for that reason, as well as for the reason of usual usuage. Disagree. ww 00:42, 9 January 2007 (UTC)Reply
As there does not appear to be consensus for the renaming, I'm delisting the request from WP:RM. -GTBacchus(talk) 00:37, 15 January 2007 (UTC)Reply
May I suggest a REDIRECT for the suggested "certification authority" to point to the current article title? These notes would be well placed on the talk page of that REDIRECT. Stephen Charles Thompson (talk) 00:32, 18 October 2008 (UTC)Reply
This really shouldn't be about consensus - it's about what Wikipedia is and what it's used for. Were I to use this article as a springboard to do further research, say in ISO/ITU, IETF, CA/Browser Forum, or any other authoritative, industry respected area, I would encounter the term "certification authority". It's the one that is defined in X.509 (saying X.509 is irrelevant is like saying dirt is irrelevant because I buy my produce from a market). Certainly one hears "certificate authority" used colloquially - and that term should be redirected to an article titled "certification authority" for the convenience of those who have only heard of the topic in casual spoken or written conversation. But to use the non-authoritative term makes Wikipedia look uninformed. It would make a reader like me infer that Wikipedia is not a starting point for serious research. This is not a religious argument, or about what is more "right" - it's about what you want Wikipedia to be. Bergtau (talk) 04:56, 6 December 2012 (UTC)Reply

Alice, Bob and Mallory

edit

It says "Bob can be tricked into accepting a forged signatures from Alice", but Alice is the good girl here, so I would recommend to change "apparently from Alice". -- Mtodorov 69 10:31, 14 May 2007 (UTC)Reply

Good attention to semantics. I will make this change. Stephen Charles Thompson (talk) 00:35, 18 October 2008 (UTC)Reply

Mallory's gender

edit

I notice there's been a series of edits (1, 2, 3) changing Mallory's gender. The Wikipedia article on the topic doesn't specify a gender for Mallory, though. I don't think the gender's terribly important, and it would be nice if editors would direct their attention to parts of the article in greater need of improvement. zazpot (talk) 20:45, 24 February 2009 (UTC)Reply

Market share

edit

The bit about April 2007 market shares has Network Solutions separated from "VeriSign and its acquisitions," but the VeriSign article says that Network Solutions was acquired by VeriSign in 2000. Can someone clarify or verify?

-- Verisign bought Network Solutions in 2000 for $15 billion in stock. It sold Network Solutions' internet registrar business in 2003 to Pivotal Private Equity for $100 million (retaining exclusive control of the registry business). --Cryptoki 16:18, 7 June 2007 (UTC)Reply

The Security Share link goes to a page that requires registration. Is there a freely available source for the information instead? If not, I think the link should be deleted as per Wikipedia:External_links#Sites_requiring_registration 67.43.134.60 (talk) 01:00, 11 April 2008 (UTC)Reply

Expiration Dates

edit

Any comment on how the sole purpose of a certificate expiring is to make CAs more money? I don't have a problem with losing the ability to sign an applet after two years, but those applets that I have signed, what makes them not secure anymore simply because a date has passed? --npapadon 16:58, 1 Dec 2008 (UTC)

It creates a narrower time window in which the key is vulnerable to brute force attacks. Two years is acceptable because it is unreasonable to be cracked in that time, while not being too much of a nuisance to certificate owners. As vulnerabilities in the architecture are corrected and security is improved, a time limit also helps to cycle out keys that may have been generated with less-secure or compromised keys/algorithms.74.9.98.150 (talk) 21:56, 9 July 2010 (UTC)Reply
Not too much of a nuisance? For site SSL certificates, perhaps. For signed code, the model is not really right - but that is another topic. pbannister (talk) 23:35, 19 January 2011 (UTC)Reply

security

edit

there needs to be a security section which covers:

  • how this CA thing works
  • what hacks exist against it's security:
http://blogs.zdnet.com/security/?p=2339
  • how this chain of trust works
    • every trust center (CA) can issue a cert for any domain, there is no hierarchy but a flat hierarchy meaning there is no single root CA but many CAs which are included into a browser by trust centers
  • how browsers implement the client side
    • which CAs are included in the distribution of the browser
    • how cert revocation works
    • how usability is optimized to make the weakest part (the user) not even weaker
    • a list of legendary browser issues as:
      • there was some ssl weakness in IE some time ago, can't find it right now
  • what other use cases than browsers today exist:
    • using ssl in EAP
    • using ssl as a library for any kind of application

--134.2.186.8 (talk) 10:56, 4 July 2009 (UTC)Reply

Subversion of CA is confusing, yep

edit

It's confusing in basic sentence structure and flow. Here's how:

  Mallory (using the Alice and Bob convention), manages to get a CA to:
   1) issue a false certificate tying Alice to the wrong public key with the corresponding private key being known to Mallory. this allows Mallory to receive confidential messages meant for Alice.
   2) issue a certificate and private key to Mallory that contains elements of Alice's identity, allowing similar subversions of confidentiality; "

are 1) and 2) AND conditions or are they OR conditions for the subversion to succeed?

 Then if Bob subsequently obtains such a certificate..."

which certificate, 1) or 2)?

Also for 1), does "tying alice to the wrong public key" mean, essentially, that Mallory represented himself as Alice (or an agent acting for Alice?). If so, wouldn't it be better to state it as "1) Mallory impersonates Alice and gets the CA to issue him a certificate that purports to represent Alice. This allows..." But then, if that's a correct rephrasing of 1), I don't understand what the difference is between 1 and 2. Leotohill (talk) 01:50, 3 December 2008 (UTC)Reply

I agree it is a bit confusing. I think the two bullets in the article are meant to list two ways to trick the CA, either of which will allow Mallory to do bad things. I can think of a few scenarios, and I'm not sure which of these the bullets are meant to describe:
  1. Mallory gets the CA to associate Alice's name and true identity information (perhaps an email address) with a private key that is known only to Mallory. Mallory then intercepts any messages using that key, reads them, responds to them, and makes sure they never reach Alice.
  2. Mallory gets the CA to associate Alice's name and false identity information (perhaps an email address) with a private key that is known only to Mallory. Messages intended for Alice are delivered to Mallory's email address, and read and responded to by Mallory. --Gerry Ashton (talk) 02:47, 3 December 2008 (UTC)Reply
Thanks, Gerry. It's good to know that I'm not the only one who finds it confusing.
From your explanation, it seems that the only difference is that in the first case the certificate holds Alice's email address, and in the second case it holds Mallory's. I think that it isn't helpful to have these two examples that differ in this way. I propose to reduce it to one example case, with followup narrative that may mention other possibilities. I'll make that change after I've waited a bit for other comments here.
BTW, you meant to say private key, not public key, right? Leotohill (talk) 02:57, 3 December 2008 (UTC)Reply
ok, I've made a substantial edit, and added a real-world example case. Leotohill (talk) 03:41, 3 December 2008 (UTC)Reply


Mozilla moved its CA page

edit

I did a small update of URLs to make them point to the new page where Mozilla lists its builtin CAs. — Preceding unsigned comment added by Espadrine (talkcontribs) 12:25, 25 August 2011 (UTC)Reply

How can we tell this is posted by Mozilla? It seems quite surprising, considering all the resources available to Mozilla, that they would post anything worth mentioning on Google docs. Jc3s5h (talk) 13:16, 25 August 2011 (UTC)Reply

History ???

edit

Who invented the idea of certificates? In what year, and after what discussions? When and why did net-creating org's accept them, and after what discussions? How were they established as the basis of trust in the WWW? Who made those decisions? What are the names of the first CA's, and what are the practical and legal requirements of becoming a CA? Who regulates them? What did the original CA's need to do to establish the trust of customers, net creators, governments and regulatory authorities?
(Some of these questions may be answered in the article; I'm only trying to point out that while the article looks clear about -what exists-, it's unclear why they have any authority or deserve any trust.) Twang (talk) 19:45, 20 September 2011 (UTC)Reply

Citations

edit

The first citations were introduced in this version of the article in December 2008. The date format was YYYY-MM-DD and citation templates were used. Jc3s5h (talk) 10:45, 23 May 2012 (UTC)Reply

remove warning

edit

I think we should remove the warning in the "Issuing a certificate" section as I see nothing on this talk page explaining what needs to be done. Eiler7 (talk) 15:59, 2 September 2012 (UTC)Reply

Fair point. I've replaced it with a norefs|section warning. zazpot (talk) 15:10, 3 September 2012 (UTC)Reply

This article is all detail and no over-view.

edit

I have not been able to find out, on the net, the answer to this simple question that a wikipedia article should answer: does this business with CA's and root certification have anything at all to do with the average user browsing the internet, or does it only apply to computer experts who are sending and receiving encrypted messages? A wikipedia article should start right off explaining when and where the CAs apply.77Mike77 (talk) 15:51, 14 November 2013 (UTC)Reply

Commercial vocation of CAs

edit

The definition says "Commercial CAs [...] issue certificates that will automatically be trusted by most web browsers". The statement is currently true, but it implies that non-profit CAs like CAcert will never make it into mainstream, a somewhat annoying concept. It is also true that the boost of certification occurred after Internet commerce. However, I would not define cryptography as a commercially-oriented discipline.

Browsers are highly generic applications, so it is difficult to tell whether online commerce is their main job. Mail clients and VPNs seem to be somewhat more restricted in scope. The article silently assumes that certificates good for browsers are also good for any other application. If that is correct, it should be explained.

Finally, a site which uses self-signed certificates is obviously acting as its own CA. There is no mention of this.

I'll try and amend the definition as soon as I'm inspired enough... ale (talk) 16:21, 20 December 2013 (UTC)Reply

edit

Hello fellow Wikipedians,

I have just modified 2 external links on Certificate authority. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 11:14, 20 January 2018 (UTC)Reply

Original research from W3Techs surveys

edit

WP:NOR specifies that "Wikipedia articles must not contain original research," and W3Techs is apparently OR. I agree that information about relative popularity of CAs is important, but this information might not be reliable. Also, it is reported in a potentially misleading manner: the survey tracks CA market share among groups of sites according to their popularity (e.g., top-n sites) but the article does not specify the difference and does not mention the sample group. — Preceding unsigned comment added by 130.126.255.74 (talk)

Addressed by Special:Permalink/1055523787. Liam McM 10:31, 16 November 2021 (UTC)Reply