Two Meanings of Digital Certificate
The term digital certificate has two meanings. One of the meanings is general and refers to a category of certificates comprising four different types and the other is specific and refers to a specific type of digital certificate. Because one use of the term digital certificate refers to items that are a category and the other to certain, but not all, members within the category, the potential for confusion is great. So, let’s clarify the situation.
Digital Certificate: the Overarching Term
Microsoft support defines digital certificate as an overarching term, the purpose of which is to make sure that the public key in the certificate actually belongs to the organization or individual to whom the certificate was issued.
The organizations responsible for issuing digital certificates of all types are called Certificate Authorities (CA). They not only issue digital certificates: they also authenticate then and sign them. Depending on the level of certificate, the Certificate Authority must go to greater or lesser lengths to establish the identity of the person or organization requesting the digital certificate. These are the levels of detail:
- Domain Validation—the CA must verify that the person or organization applying for the certificate for a particular domain matches the person or organization listed for that domain in the WHOIS database.
- Organization Validation—the CA must verify the business that has requested the certificate and ascertained that both its physical address and its web address are accurate.
- Extended Validation—the CA must verify an extensive amount of information including the organization’s registration with at least one official registration agency in their jurisdiction, for example, their Secretary of State’s office; the domain registration must be registered through an ICANN authorized registrar for GTLDS or an IANA authorizes registrar for CCTLDs and cannot be using the privacy feature offered by many registrars; the telephone number must be independently verified, etc.
When verification is not properly undertaken, fraudulent certificates can be issued, as happened in March, 2011 with a reseller for Comodo, a Certification Authority. Although they were quickly revoked, the potential for damage is high, and Comodo has put measures in place to prevent a recurrence.
Microsoft Support specified four types of digital certificates. Here is a description of each:
- Personal Certificates—These digital certificates are used by individuals to authenticate users on a server, as well as to secure email using a system called S-MIME (Secure/Multipurpose Internet Mail Extensions) the supports message encryption based on the public-key technology of RSA Data Security, Inc.
- Server Certificates-These digital certificates include the type known as SSL certificates and provide a means for servers to verify their identity.
- Software Publisher Certificates—These digital certificates lets a user know that the software publisher is a member of the group of trusted CAs and publishers and are used for software that is distributed online. It does not provide any information about the validity, usefulness, or safety of the code included in the software. Browsers maintain lists of trusted publishers.
- Certificate Authority Certificates—There are two levels of Certificate Authority: Root and Intermediate. Root Certificate Authorities can issue Root Certificates, that is, they can certify themselves, being both the subject and the issuer. They can also issue certificates for Intermediate Certification Authorities, which can issue certificates for other Intermediate Certification Authorities, as well as personal, server, and publisher certificates.
Digital Certificate: the Specific Type
The term digital certificate is also used to refer to personal certificates, in particular, those issued in order to be able to send secure email. For example, the Webopedia definition of digital certificate say nothing about the use of personal certificates for servers, let alone refer to the existence of any other type of digital certificate, such as server certificates, software publisher certificates, or Certification Authority Certificates.
This is not the only potential source of confusion. VeriSign refers to a validated personal digital certificate for sending S/MIME compliant email as a “Digital ID,” whereas an article in Macworld called “Create a digital ID with Adobe Acrobat” is using the term digital ID to refer to a method of signing an Adobe Acrobat document that is not validated.
The take away is that it’s important to use care when discussing digital certificates and digital IDs because the terms can mean different things to different people.