SKIP Certificates

SKIP certificates are the means by which a user distributes public key information. A SKIP certificate is a digital document that contains a user's Distinguished Name, the public key associated with that Distinguished Name, and the time interval for which the certificate is valid. You can distribute your public certificate to other users, who extract and use your public key to calculate a unique shared secret for encrypting communications between you. Users can distribute their certificates freely to other SKIP users on diskette, through a certificate server, or over a network.

Figure B-7 SKIP Certificate Contents

SKIP certificates can be signed or unsigned:

• Signed SKIP certificates (RSA certificates) must be obtained from a Certification Authority, which is an entity trusted to create and assign SKIP certificates. In addition to the information described above, a signed certificate contains the name of the certification authority responsible for issuing the certificate and the MD5 hash of the certificate. The CA signs the certificate by encrypting the hash with the CA's private key. The CA's digital signature lets anyone who receives the certificate validate its contents and verify that an unauthorized user is not impersonating you.

  You can store signed certificates in directory servers, transmit them by means of non-secure message exchanges, or distribute them on diskette. For information on how to obtain signed SKIP certificates, contact carequest@sun.com.

• Unsigned SKIP certificates (unsigned Diffie-Hellman (UDH) certificates) are generated on demand by the user. A user's unsigned certificate can be distributed through secure out-of-band channels or through certificate discovery (which is described on "Certificate Discovery"). Unsigned certificates can offer several advantages over signed certificates:

  • A user generates a private key when he or she generates a public certificate. This private key never leaves the user's machine, meaning that a network administrator does not need to order, distribute, or protect key diskettes.

  • Since UDH certificates are not registered by a certification authority, they do not need to be formally revoked. If a user or administrator suspects that a key has been compromised, a new key/certificate can be generated and the new certificate can be distributed to other users.

The decision whether to use a signed or unsigned certificate depends on the type of hosts with which you want to exchange encrypted traffic. In general, you must use a signed certificate to communicate securely with a host using a signed certificate, and you must use an unsigned certificate to communicate securely with a host using a UDH certificate. Both certificates must use keys of the same length and use the same values for key calculation.