A digital signature is extremely important in the world of computer security which relies heavily on the use of a key pair specifically for signing and verifying communications. Suppose the sender ‘signs’ one sentence at the end of an email message. You could then use software to use a private key to perform some operation on that sentence making it the digital signature, The words are not that important in a digital context, merely that the sentence can be verified by using the public key.
The digital certificate represents a mechanism for authenticating a key pair used to create the signature. However for important transactions especially those involving financial transactions then simply authenticating a digital signature like this may not be sufficient. It’s probably enough to perhaps validate a TV license for someone trying to stream BBC in USA though. For the commercial sort of transactions each key pair must be very tightly bound to the user that owns the key pair. The digital certificate is that credential that can be used to link the key pair specifically and uniquely to the entity who owns it. These digital certificate are usually issued by another third party known as the certification authorities and represent another layer in trusting the binding of the certificate.
A digital signature is probably sufficient for lots of small value transactions like verifying emails but they have limited trust. You would need much stronger verification methods in order to associate an individual identity with digital bits in a program or network transmission. The reason is that in business and eCommerce these associations must be legally provable and binding.
There is a certain amount more trust when a digital certificate is advertised, the digital signature is the ‘seal’ but the certificate adds validity to that seal. Of course for this situation to exist the certification authority has to be beyond reproach – only trusted companies or organisations can be CA’s in some cases it’s best for them to have some sort of Governmental approval.
The CA (Certification Authority) should first take steps to establish the identity before issuing a certificate. The issued certificate should contain the following information as a minimum – name, public key, serial number of certificate and validity dates. The only other information should be some details of the issuing CA which then should be signed using the CA’s own private key.
the final piece of the puzzle is to establish a mechanism by which people who have no knowledge or prior experience of each other to verify identities to exchange securely. It’s actually quite difficult because issued certificates can have all sorts of problems – they can be lost, faulty, expire or contain wrong detail – which means that certificate management is important too.
Most certificates nowadays follow the X509 v3 standard used by some of the most important security protocols. They are becoming the standard for electronic credentials and used for all sorts of situations from simple identification to authorization of financial transactions.
Further Reading
