|Lesson 9|| Certificate issues|
|Objective||Describe the issues associated with using digital certificates. |
Certificate Issues | Associated with Digital
When deciding how to use certificates, remember their shortcomings as well as their capabilities. Certificates:
- Do not provide absolute proof of identity
- Do not allow for selective disclosure
- Are costly
In addition, your certificate password should be secured.
Certificate Password Security
During the digital certificate creation, you created a pass phrase. This pass phrase is never used again unless you need to revoke the certificate. Your clients will never use it. If someone gains access to your certificate on the server, this pass phrase is only a symmetric key for encrypting the private key on the physical hard drive. It is much easier to break symmetric keys. Therefore, make sure you physically secure your server.
Also, proper choice of a good password significantly raises the private key's protection level. If the key is physically copied, it is still useless without the key to decrypt and use it. It cannot be used or installed without this key. On the other hand, loss of this key compromises your own ability to use the certificate, so this information should be well protected.
Authentication, not proof
The possibility always exists that a hacker stole files from a user's hard drive and cracked the password. This would completely invalidate a certificate. Also, average users tend to assume that a certificate is foolproof and that anyone presenting a certificate is legitimate. This is not the case.
Users and group membership
Many e-commerce sites create specialized user groups, as well as accounts that involve user names and passwords. If you wish to authenticate users for each of these groups, certificates are not the answer. Although you can use a certificate for basic authentication and creating an SSL session,
today's certificates do not contain enough information about the user to facilitate automatic group placement or user account creation. You can require that all users first establish an SSL session, then enter information. You will then have to create a separate authentication session for users to enter the group.
Certificates do not allow selective disclosure of information. In other words, there is no way to reveal only
certain fields of the certificate to certain users. Currently, if you need to have a coworker retrieve your email for you, you need supply only your
password. However, if you are using certificates, this legitimate activity is not feasible. Digital certificates are currently an "all or
One way to get around this is the use of portable technologies, such as smart cards and similar physical storage methods.
These issues with digital certificates are being addressed, but you need to be aware of the current barriers to implementation.
Digital certificates are not free, and they require eventual renewal. You should factor these costs into your business plan. Although certificates
are not prohibitively expensive, they require a certain commitment from e-commerce vendors.
In the next lesson, we will discuss SSL transactions.
Digital Certificates - Quiz
Click the Quiz link below to take a multiple-choice quiz on digital certificates and CAs.
Digital Certificates - Quiz
Selective disclosure: The ability to reveal only portions of a digital certificate. As yet, this is not possible in an e-commerce setting.