|
Written by David Torre
|
|
Page 1 of 3
Standard Validation Validation is a technique used by certificate issuing authorities such as Verisign, GoDaddy, and others to assure the validity of a given organization. When an organization publishes a resource on the Internet, such as a web site or email server, it is inherently untrusted by all visitors. Rather than attempting to prove the resource's authenticity to each and every visitor, the resource gains the trust of a "root" certificate authority that is already trusted by visitors. Gaining the trust of a certificate authority which already has the trust of a visitor grants a somewhat "indirect" path of trust between the visitor and the resource. For example, if visitors directly trust Verisign, and Verisign directly trusts the resource, then visitors (indirectly) trust the resource. This is known as the "certification trust path."
Validation techniques vary among different certificate issuing authorities, however all tend to follow a similar format of ensuring the certificate requester truly is who they claim to be. Among the most simplistic techniques is email verification, whereby a certificate authority looks up the requester from a published database such as WHOIS, and sends a verification email to the technical administrator of the given domain name. If the certificate requester has access to the email box designated as the technical contact for the domain in quest, the certificate authority deems the requester to be legitimate and a certificate is issues. Yet these and other "simplistic" validation techniques have raised security concerns as one-dimensional validity checks may be easily compromised by attackers. For example, gaining access to a single mailbox would allow an impostor to create a certificate in the name of a legitimate organization.
<< Start < Prev 1 2 3 Next > End >>
|
|
Last Updated on Saturday, 21 November 2009 09:18 |
Feed Entries 
White Papers 
