Certificates

A certificate binds a public key to a certain individual/entity. This is usually done using digital signatures: if a certificate bearing a public key and an individual's name is signed with a key pair which you already trust, then you can rest assure that the public key in the certificate really does belong to the individual named in the certificate.

Different standards using Public Key Cryptography employ different models for using certificates to establish trust. Such a model, encompassing data structures, rules for their use, and users of them, may be referred to as a Public Key Infrastructure (PKI). SSL, TLS and S/MIME all use X.509 v.3 certificates, and a hierarchical PKI in which users are certified by Certification Authorities.

All data which appear in the interface between the Symbian platform and the rest of the world need a transport encoding, and it is in this form that they are sent and received. The transport encoding for X.509 data structures is DER encoded ASN.1.

Certification Authorities

Certification Authorities (CAs) are trusted third parties which perform the following functions in the PKIX public key infrastructure:

  • provide trusted 'root' certificates to users (End Entities), by supplying them with the CA's public key

  • certifying End Entities: checking that they are who they say they are, and generating certificates for them. The certified End Entity is the subject of the certificate: the CA is the issuer

  • supporting certificate revocation and revocation checking: if an End Entity suspects that their key has been compromised, they contact the Certification Authority which issued it. CAs publish lists of revoked certificates (known as Certificate Revocation Lists) at regular intervals, which End Entities can use to check that certificates sent to them have not been revoked

  • publishing certificates: the most likely place for this is an LDAP directory, since X.509 certificates identify their subjects and issuers by describing a path through an X.500 directory