I'm bummed that authentication wasn't discussed until the last 2 paragraphs. And then only topically.
> We figured out how to make a personal certificate authority on your own computer,
This isn't entirely true. I can make a self-signed cert, but there's no root of trust exdcept my computer: someone else can make their own self-signed cert claiming to be me.
I recently bought an SMIME cert from Sectigo for $20. There needs to be a personal CA and commensurate tooling, but it is still not widely available for non-miliatry.
Is there a way for me to get a personal cert that can be authenticated with a CA? Because I've been looking for some time. MozillaZine has a page on SMIME certs, but 80% of the names are crossed off.[1]
My country (Kazakhstan) issues certificates to its citizens. They are signed by a government CA. So if you want to authenticate a Kazakhstan citizen, you can ask him to sign something and check his certificate. I've heard that many other countries are issuing similar certificates. So it's possible to build an universal service which would work for many countries.
Sounds like a great hammer to hold over any/all citizens. That government can invalidate your cert any time. You won't be able to conduct any action which requires it. I bet they aim for it to be required for everything sooner or later, and merely today it's probably not yet needed to buy milk.
In the same way a self-signed certificate doesn't need to be signed by an official root of trust to be useful for authentication, a self-signed Personal CA doesn't need to be signed or cross-signed by another CA to be trusted by a server.
I'm a little confused, can you help me understand something?
Assume you created a self-signed personal certificate and you use that to sign your emails.
What if I make a self-signed cert claiming to be you, and create an email address nmelo@gmail.com.
How would someone know which one to trust if there wasn't a third party to verify youre the real nmelo? Websites do this with trusted CA roots on their browsers.
Going back further, business do it with services like Dun & Bradstreet.
Absolutely. The important part is that certificates don't necessarily need to encode any personal information to be immediately useful as a factor of authentication.
The fact that a person controls the private key associated with the certificate should be enough to allow any given server to trust the certificate, if they have enough confidence that the private key is being securely stored by the user.
Now extend that to a personal certificate authority. As long as the server is able to trust that the Root Certificate, and any Intermediates certs in that CA are controlled by the user, they should be able to trust certificates signed by that CA to authenticate that person.
Thanks for explaining, would you mind answering a follow-up?
> the fact that a person controls the private key associated with the certificate should be enough
Going back to my example, of you and I both claiming to be the same person with our certificates, us both having a private key doesn't solve this problem. Who authenticates who is the real person? Or is that not the point of certificates?
> if they have enough confidence that the private key is being securely stored by the user
Or... is it that a self-signed cert just proves who owns the private key, and I'm putting to much into what a cert is supposed to be?
> and any Intermediates certs in that CA are controlled by the user,
ah, ok, so I can act as my own CA because I have the private key for the root of trust.
> We figured out how to make a personal certificate authority on your own computer,
This isn't entirely true. I can make a self-signed cert, but there's no root of trust exdcept my computer: someone else can make their own self-signed cert claiming to be me.
I recently bought an SMIME cert from Sectigo for $20. There needs to be a personal CA and commensurate tooling, but it is still not widely available for non-miliatry.
Is there a way for me to get a personal cert that can be authenticated with a CA? Because I've been looking for some time. MozillaZine has a page on SMIME certs, but 80% of the names are crossed off.[1]
> muse of cryptography
Definitely Melpomone. ;)
[1] http://kb.mozillazine.org/Thunderbird_:_FAQs:_Get_an_SMIME_c...