Difference between revisions of "X.509 Certificate"

Revision as of 13:17, 25 April 2019

Full Name or Meme

A structure defined by the CCITT (now ITU-T) that binds a Subject name to a public key and a set of Attributes.

Context

• Up until the 1970's the Postal and Telecommunications Agencies of the world governments just knew that they were responsible for assigning names and numbers to everything on the planet.
• At that time only a few of the world governments, like the US, had placed the responsibilities for such naming and numbering in private hands.
• Still in the US AT&T acted with the impunity of a government agency, until they were challenged in court by companies like MCI.
• With all of the arrogance of a government body, the ITU's Committee on Communications and International Telephone and Telegraph (CCITT), decided to specifiy the structure of email and the corresponding security.
• The goal was the electronic equivalent of the existing white pages and yellow pages of the ubiquitous telephone directories.

Problems

• The result was an exceeding ugly encoding of everything the CCITT touched, most of which has faded into history, except the X.509 certificate structure and naming in LDAP.
• The security at the time was based on the paradigm at the time - the credit card industry and the card revocation lists, which were updated every few weeks and needed to be checked by every merchant for every transaction.

Solutions

• At least now the certificates can be checked online (OCSP) and no longer require certificate revocation lists (CRL), although the specification still exists.
• The content of a Web Site certificate is reasonably well defined^[1] which makes them still useful for that purpose.
• The content of a personal certificate has not been so well accepted except for highly paranoid organizations (like the US DoD) who continue to issue smart cards with personal certificates.
• They can be used in venues such as a digital assertion of the existence of some credential, like the ability to prescribe drugs, or to sign a digital document as an agent of some real-world entity.
• The security of the standard X.509 certificate works well enough with PKI to establish encrypted security of internet connections over HTTP (the web). There existing standards for more secure certificates, DV Certs and EV Certs that provide more Assurance of the real world Identity of the Entity that hosts the web site, but there are many who believe that we sill can, and should, do a much better of Assurance.
• The web, meanwhile, is shifting to a new paradigm, the Json Web Token.

Installing X.509 Certificates

The major operating systems, like Windows, have been notoriously bad at the User Experience associated with X.509 Certificates. Although the tortured syntax and incomprehensible semantics of the certificates cannot help, it is at least conceivable that a better User Experience might have enabled a better acceptance of the X.509 Certificates, it is now not conceivable that they could be resurrected as a useful means of identification of people, which was the intent when they were invented. So this section will just deal with the few places where they are still encouraged, for devices and Web Sites.

References

1. ↑ DigiCert. What extensions and details are included in a SSL certificate? https://knowledge.digicert.com/solution/SO18140.html