Chapter 4 Enhancing Security 61
About Identities
Identities are a certicate and a private key, together. The certicate identies the
user, and the private key corresponds to the certicate. A single user can have several
identities; for any given user each certicate could have a dierent name, email
address, or issuer.
These identities are used for dierent security contexts. For example, one could be
used to sign others’ certicates, and one could be used to identify the user by email,
and these do not need to be the same identity.
In the context of the Mac OS X Server Certicate Manager, identities include a signed
certicate and both keys of a PKI key pair. The identities are used by the system
keychain and are available for use by various services that support SSL.
About Self-Signed Certicates
Self-signed certicates are digitally signed by the private key corresponding to
the public key included in the certicate. This is done in place of a CA signing the
certicate. By self-signing a certicate, you’re attesting that you are who you say you
are. No trusted third party is involved.
About Intermediate Trust
If you are your own CA, and your certicates are not trusted by the default shipping
root certicates in Mac OS X, your clients can still be congured to trust your
certicates through an intermediate trust.
Trust is the ability of a client to believe the identity of a server when it connects.
A trusted server is a known server that the client can transact with securely, without
interference from outside and unknown parties.
Mac OS X clients follow x.509 trust validation when accepting certicates, meaning
they follow the chain of certicate signers back until they nd a trusted root certicate.
Mac OS X lets you specify a trusted anchor (in other words, a certicate that is not a
root CA certicate, but that you trust). A client can trust a certicate closer in the chain
of trust, or even just the submitted certicate itself. Trusting a certicate that isn’t a
shipping root anchor is intermediate trust.
To accomplish this, trust needs to be bestowed on certicates instead of to keychains
(as was done previously). In v10.4, trust was given to certicates in the keychain
called “X509Anchors.” The X509Anchors keychain was deprecated starting with
Mac OS X v10.5.
