Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why certificate is needed for signing instead of just private/public key pair?

Tags:

security

certificate

x509certificate

Newbie question: some vendors propose solution like generating dynamic certificates to allow user who haven't classic certificate to sign documents. But why not just generate private/public keys alone instead of bothering with certificate format ?

like image 862
user310291 Avatar asked Oct 26 '25 23:10

user310291

2 Answers

The purpose of the (public key) certificate is to bind the public key to the identity of its subject (i.e. the owner/entity associated with the key pair), and possibly various attributes telling you what the certificate may be used for. (You may be interested in this question on Security.SE.)

You always sign with the private key (not the public key or the certificate), but the public key or certificate are often attached with the signed document.

If you have an explicit list of public keys you know and can link independently to a user, you don't need a certificate.

The certificate allows third parties (who have signed the certificate) to assert the binding between the identifier and the public key. Even if you don't know that identity in advance, you can link the signature to the signer's identity as long as you trust the entity that signed the certificate.

Dynamically generated certificates may not be very useful in this case, unless you trust the party that generates the certificate dynamically (I'm not sure if you meant the tool itself or perhaps a website that you would also know).

Often, X.509 certificates will be used just to attach to that signature, because the tooling requires it, whereas you may be able to match the public key against an identity you know directly in the tool with which you verify the signature. Sometimes, it's also just done in anticipation of a case where it will be useful one day.

For example, if you publish your own artifacts to the central Maven repository, you will be required to sign it with your PGP certificate (often only referred to as the PGP public key). Yet, no verification of the certificate is made at all during the process (PGP certificate with only its self-signed signature is good enough). This makes this process relatively pointless in this case, but makes it possible to be stricter in which artifacts you want to use, if you're able to verify those certificates later on.

like image 93
Bruno Avatar answered Oct 29 '25 18:10

Bruno

It's the same but you need a third party to consent that private key belongs to whom ever you think it belongs to.

like image 29
vimdude Avatar answered Oct 29 '25 20:10

vimdude
Sign in to Comment

Related questions

spring-boot dependencies and security fixes
Best practice to secure an Electron application
Ways to implement "Attribute Based Access Control" with GraphQL
Protect my public oauth API from abuse, but allow anonymous access from my app?
What is CSS injection and how to prevent it?
KeyCloak error SunCertPathBuilderException: unable to find valid certification path to requested target
How to prevent user enumeration attacks for a login system?
Why does mutual SSL require a key pair on the client side instead of just a public certificate?
How can I sign Git notes?
How to solve API key is visible on request URL problem?
How to use Cipher without IV(Initialization Vector)
Block upload of executable images (PHP)
Restrict REST API access to only my website
Can I securely store an OpenID Connect id_token and access_token in a cookie if it's marked as HTTP only?
QML applications and security - is there any?
Enable Strict transport security MVC
What validation is important in a PHP web form that only interacts with itself?
WCF custom userName authentication using HTTP
How to publish jQuery code accessing a REST api, but have it secured from unauthorized use

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!