Where can I obtain certificates?

To ensure the unequivocal assignment of a certificate to a person, the certificate must be issued by a trustworthy organization or authority which, in turn, guarantees that the certificate does indeed belong to a particular person.

Let us assume that Alice and Bob work for the same company and that this company uses Microsoft Windows Server 2003 technology. In such as case, it is extremely easy to obtain a certificate as a PKI (Public Key Infrastructure) is automatically supplied. Alice and Bob can simply request a certificate via the Intranet or their network administrator. And because they work for a reputable company they can be confident of the origin of the certificates and their trustworthiness.

The procurement of certificates is slightly more difficult if Alice and Bob do not work in the same company – in such a case, who can ensure that the certificates are trustworthy and guarantee that the certificates are correctly assigned to a specific person?

This is the job of certification authorities (or CA for short). Well-known certification authorities include:

Once Alice and Bob have decided on an authority, they request their certificates. The authority firstly checks that Alice is really Alice and Bob is really Bob. The best way to do this in Germany is the PostIdent method, here both parties must be identified at a post-office counter on the basis of their personal ID. This prevents the risk of Carl requesting a certificate under the guise of Alice or Bob.

After completion of this procedure and both parties have their certificates, Alice can, at an time, check the authenticity of Bob’s public key. She does this by inquiring at the CA whether the key in question is Bob’s key or, if, rather stupidly, Carl has attempted to deceive the system. Carl maybe an IT expert, but even the CA is beyond him!

[back]