 
| Sender: |
|
| Subject: |
|
| From: |
|
| Date: |
Tue, 15 Feb 2005 13:43:24 -0500 |
| Content-Type: |
text/plain; charset="iso-8859-1" |
| MIME-Version: |
1.0 |
| Reply-To: |
|
| Parts/Attachments: |
|
|
The United States Government and the Government of Canada have been working
closely together on the use of PKI or Public Key Infrastructure. Public Key
Infrastructure is the combination of software, encryption technologies, and
services that enables enterprises to protect the security of their
communications and business transactions on the Internet.
A Public Key Infrastructure provides the four principal security functions
required for on-line transactions:
* Data Confidentiality - to keep information private;
* Data Integrity - to prove that the information has not been manipulated;
* Authentication - to prove the identity of an individual or application;
and
* Non-repudiation - to ensure that information cannot be credibly disowned.
Public key cryptography encrypts information by using two mathematically
related keys: one is kept private; the other is made public. The private key
cannot be determined from the public key. An individual who wants, for
example, to send a message uses the public key of the recipient to encrypt
the message. The recipient uses his or her private key to decrypt the
message. The sender therefore knows that only the intended recipient can
read the message.
Public key cryptography can also be used to create digital signatures. A
digital signature is made when a mathematical function produces a value
dependent on the content(s) of a message, which is then attached to the
message and encrypted using the sender's private key. The recipient of the
message can decrypt the digital signature using the sender's public key. The
recipient then passes the message through the same mathematical function to
produce a second summary of the message. If the digital signature can be
decrypted and the summaries are identical, then the recipient is assured of
both the sender's identity and the integrity of the message, i.e., the
message was not altered from the moment it was digitally signed. Because the
digital signature of a message depends on the private key used to produce
it, the sender's ability to repudiate the message is reduced.
A Certification Authority is a third party trusted to associate a public and
private key pair with a particular individual or entity. It identifies the
individual or entity which is to receive a key pair; issues keys; revokes
keys when a private key may have been lost, stolen or otherwise made public;
and provides notice as to those key pairs which have been revoked. It is
possible that an individual, instead of a Certification Authority, may
generate his or her own keys. A public/private key pair is a set of two
numbers. The electronic document or record which links the key pair to an
individual or entity is a digital certificate issued by a Certification
Authority. The digital certificate, which has been digitally signed by the
Certification Authority, contains the public key and serves as evidence that
the individual identified in the certificate holds the corresponding private
key.
A somewhat technical process but simplistic in its methodology. I would be
interested in hearing about your experiences on using this technology?
Cheers
John A. Gervais
Program Manager
Policy and Standards Section
Information Policy and Governance Division
Intergovernmental and International Affairs Directorate
Policy and Planning Branch
Canada Revenue Agency
25 Nicolas Street, 16th Floor
Ottawa, Ontario, Canada, K1A 0L5
' 1-613-688-9302
* mailto:[log in to unmask]
" http://www.cra-arc.gc.ca/
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|
|
|
