Cryptography in Action 67
Peer CA The peer CA provides a self-signed certificate that is distributed to its certificate
holders and used by them to initiate certification paths.
Subordinate CA A subordinate CA does not begin trust paths. Trust initiates from a root
CA. In some deployments, a subordinate CA is referred to as a child CA.
Registration Authority (RA) The RA is an entity positioned between the client and the
CA that is used to support or offload work from a CA. Although the RA cannot generate a
certificate, it can accept requests, verify a person’s identity, and pass along the information
to the CA that will perform the actual certificate generation. RAs are usually located at the
same level as the subscribers for which they perform authentication.
Building a PKI Structure
Now that you understand what CA and digital certificates are, let’s build a public-key
infrastructure (PKI) system. The term does not refer to a single technology but rather a
group of technologies and concepts that work together as a unit to accomplish the tasks we
described earlier. PKI is designed to validate, issue, and manage certificates on a large scale.
The system is simply a security architecture that you can use to provide an increased level
of confidence for exchanging information over an insecure medium.
Any systems that interact with this system must be PKI aware, but that is a common
feature in today’s environment. A PKI-aware application is any application that knows how
to interact with a PKI system. Most applications have this ability, including web browsers,
e-mail applications, and operating systems. All these applications offer the ability to inter-
act with the system described in this chapter and do so transparently.
When working with PKI, understand that tying the whole system together is trust. Trust
is absolutely important as without it the system falls apart pretty quickly.
Putting all the building blocks together, it is possible to see the whole process of creating
a digital signature. Digital signatures make use of several types of encryption such as asym-
metric, public and private key encryption, and hashing. By combining these cryptographic
functions, you can provide authentication of a message or digital item. Let’s look at each
component:
Public/Private Key Encryption Though you can encrypt with a private key and then
decrypt whatever you have encrypted by accessing the public key on the correspond-
ing digital certificate for the encrypting party, it does not provide all of what you need.
However, since a public key is possessed by a specific party, only it can play an important
part in digital signatures.
Digital Certificates Certificates are an essential component of a digital signature. Remem-
ber earlier when I said that a public key is bound to a digital certificate? This fact pays off
its reward here. The digital certificate tells the recipient of the public key that it belongs to a
specific party and, by extension, it is the companion of the private key.
Hashing This is the mechanism that lets you know whether or not an item has been
altered. The hash states that the signer agrees to the current state of the document. You’ll
learn more about this topic in the next section.