Sharing Your Secrets
Although digital encryption schemes had been in use since the 1970's, demand for secure Internet transmission skyrocketed after the National Science Foundation Network (NSFNet) was opened to commercial traffic by the passage of the High Performance Computing Act of 1991. With business, consumer, and financial traffic growing rapidly, a secure yet practical means of encrypting traffic was necessary. An age-old problem of exchanging "secret messages" is how to transmit the key to the cipher to the desired party without unwanted third parties getting it and intercepting those secrets. The answer was symmetrical encryption keys. A symmetrical encryption key has two components: a private key, which only the key's owner should possess, and a public key, that its owner can and should share widely. The two keys are used together as described below. Since the public key cannot be used without matching it to the private key, which is retained by its owner, there is no need to worry about transmitting the public key widely to anyone who will communicate with the key's owner.
Security Certificates: the Key Vault
When the PGP encryption program was launched, users were invited to share their public keys in an online "key ring." This was intended to create a "web of trust," comprising multiple key rings where correspondents could find the public key of their communication partners. Over time the web of trust concept gave way to Public Key Infrastructure (PKI), which is more suitable for large scale use. While the web of trust depends on individual members relying on the credentials and statements of fellow users, PKI instead is based on a hierarchical system of certificate authorities.
Certificates are defined by standard X.509, which is promulgated by the International Telecommunication Union - Technology Standardization Sector (ITU-T), a United Nations agency. Certificates are issued by certificate authorities at different levels, with the highest ranking authorities issuing certificates for lower level ones, and so on down the hierarchy.
Companies and individuals seeking a well-recognized certificate generally must establish their identity to the satisfaction of the certificate authority. This may included having a business identity registered with Dun and Bradstreet—a DUNS number—or a validated reference from a staff member of a public organization.
Once a user creates an item, such as a website, email, or signed document, with the certificate, a viewer of that item may verify the validity of the certificate through the chain of certificate authorities. For example, clicking on the lock icon of a web browser visiting this site provides the below information about the libapps host of this guide.
UNC offers a certificate issuance service for university departments and personnel. Both web host and personal certificates are available.