Web, mail, and directory services use the public key with SSL to negotiate a shared key
for the duration of the connection.
For example, a mail server will send its public key to a connecting client and initiate
negotiation for a secure connection. The connecting client uses the public key to
encrypt a response to the negotiation. The mail server, because it has the private key,
can decrypt the response. The negotiation continues until the mail server and the
client have a shared secret to encrypt trac between computers.
Certicates
A certicate is an electronic document that contains a public key with identication
information (name, organzation, email address, and so on). In a public key
environment, a certicate is digitally signed by a Certicate Authority, or its own
private key (the latter being a self-signed certicate).
A public key certicate is a le in a specied format (Mac OS X Server uses the x.509
format) that contains:
The public key half of a public-private key pair Â
The key user’s identity information, such as a person’s name and contact information Â
A validity period (how long the certicate can be trusted to be accurate) Â
The URL of someone with the power to revoke the certicate (its  revocation center)
The digital signature of a CA, or the key user Â
About Certicate Authorities (CAs)
A CA is an entity that signs and issues digital identity certicates claiming that a party
is correctly identied. In this sense, a CA is a trusted third party used by other parties
when performing transactions.
In x.509 systems such as Mac OS X, CAs are hierarchical, with CAs being certied by
higher CAs, until you reach a root authority. A root authority is a CA that’s trusted by
the parties, so it doesn’t need to be authenticated by another CA. The hierarchy of
certicates is top-down, with the root authority’s certicate at the top.
A CA can be a company that signs and issues a public key certicate. The certicate
attests that the public key belongs to the owner recorded in the certicate.
In a sense, a CA is a digital notary public. You request a certicate by providing the CA
with your identity information, contact information, and the public key. The CA then
veries your information so users can trust certicates issued for you by the CA.
60 Chapter 4 Enhancing Security
