Digital Certificate Operation in a Complex Environment
Sections in this document:search
PKI Primer and Project Background
5.1. Avoiding the question for a moment...
You may assume that 'identification' of users (or servers) is what we should be worried about. However, let's say that is really associating an identity with a subject (or a network ID with a request). This most basic level of 'security' is good enough for a lot of transactions. For example, the owners of some text on a web page that is in the public domain do not have to worry that the text is going to a verified individual - all that the server has to do is to ensure that the text is delivered to the individual that requested it. Therefore, basic identification is 'associating an identity with a subject', and can be (relatively) anonymous. Over a public network such as the Internet, this is a very basic process (handled by TCP/IP - transmission control protocol/Internet protocol - very well).
' ', on the other hand, comes in when a little more 'security' is necessary. Authentication is 'establishing the validity of something, such as an identity'. Over a public network, this may be difficult. In the real world you may be happy that someone has authenticated her identity by showing you her driving licence or national passport. You may even be fairly happy with a less important document that she holds, such as her gym membership card.
*For easy readability, we have avoided writing "he or she" etc. and have tried to use examples of either sex. In this primer, we attempt to use male and female examples in equal measure.
Between computers over networks it is possible (and often quite easy) for someone else to copy a set of data that you have used to identify yourself before. Therefore, the danger exists that your server - or your correspondent - cannot be sure that you are who you appear to be or that your apparent identity has been validated (authenticated).