network security and public keys

Todays Internet offers methods for secure web access (HTTPS) and email transfer (S/MIME) which are based on cryptographic methods, called public keys. These ensure privacy of communication and authentification of the sender and receiver. Most contemporary browsers and email programs support these with one or two "mouse clicks" and the advantages are numerous.
However, some very old insights into encryption and its well-known pitfalls still apply to this modern technology.
More information is found at http://en.wikipedia.org/wiki/Public-key_infrastructure. An excellent book on cryptographic background and fundamentals is "F.L. Bauer, Decrypted Secrets".

What are CA certificates and why should I care ?

Web pages and emails can be signed and encrypted by digital certificates which are issued by Certificate Authorities (CA), also called "root certificates". Most of these are privately operated, commercial companies, that you probably never even heard of. Your web browser has a built-in list of about a few dozen of these CAs (listing of CAs in webbrowser Firefox, March 2007), and when ever it encounters a certificate issued by one of them, it trust that certificate without any further questions asked. This practice of shipping software, like your browser, with a pre-installed long list of ad-hoc, blindly, trusted CAs could be regarded as bad cryptographic mistake. It does ease handling at the client side and may be regarded as suitable for access to e-vendors for the masses.
A list of accepted CA is stored in your browser. On "Firefox" this list is shown under "Preferences->Advanced->View Certificates".
Since communication at our site is much more peer-to-peer, we chose being our own CA. Which works exactly the same way as described, and the HTTPS access is as secure, except our CA is not ad-hoc known to your browser. Accordingly, you may make it known to your browser, which requires a one-time step on your side:

Importing our CA certificate into your browser

When loading our CA certificate, (DER format, CRT format) your browser shows a dialog window requesting you to confirm loading of an "untrusted" certificate. Depending on your browser, the dialog looks similar to this one in "Firefox":

CA trust dialog MSIE

By security and cryptographic standards you want to verify that it is truly our certificate. Taking the browser "Firefox" as an Example, examining the certificate shows:

CA trust dialog Thunderbird

Verification of the certificate is done by checking the SHA256 fingerprint, a number shown in the dialog window:
8C:23:C3:DB:0A:CA:90:05:AF:EE:66:EB:36:A7:76:73:D6:B5:5F:D7:4D:92:5A:1E:0F:4D:E8:E9:9C:E3:F3:BE
Note: this key was updated 22 Feb 2022 22:25:19 GMT.
However, consider the following cryptological insight: It is basic cryptological security that an authentication code or encryption passphrase (in this case the CA certificate) must be communicated or at least validated on another transport way as the authenticated or encrypted message itself. In this scenario, we fax or post you this fingerprint as reference upon request.

Sending us S/MIME encrypted email

Please contact us prior to sending S/MIME encrypted emails.

Opera browser

You might have to unset "OCSP Validate Certificates" in "Security Prefs" on the "opera:config" page.

Valid HTML 4.01 Transitional


/icos/en-flag.png /icos/de-flag.png 
web address of this page: http://pab-opto.de?d=/pki
Datenschutzerklärung , Impressum
page contents © pab