Cryptographic Keys - ethan's notes

# Cryptography ## Chain of Trust ### Root Certificate The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution.^[https://en.wikipedia.org/wiki/Root_certificate] # Certificate Authority (CA) A certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.^[https://en.wikipedia.org/wiki/Certificate_authority] # Validation Levels ## Domain Validation A domain validated certificate (DV) is an X.509 public key certificate where the domain name of the applicant is validated by proving some control over a DNS domain. - Response to email sent to the email contact in the domain's whois details - Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.) - Publishing a DNS TXT record - Publishing a nonce provided by an automated certificate issuing system ## Extended Validation (EV) Certificate Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance. Only CAs who pass an independent qualified audit review may offer EV,[10] and all CAs globally must follow the same detailed issuance requirements which aim to: - Establish the legal identity as well as the operational and physical presence of website owner; - Establish that the applicant is the domain name owner or has exclusive control over the domain name; - Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorized officer; - Limit the duration of certificate validity to ensure the certificate information is up to date. CA/B Forum is also limiting the maximum re-use of domain validation data and organization data to maximum of 397 days (must not exceed 398 days) from March 2020 onward.