ZyWALL 2WG Support Notes
All contents copyright (c) 2006 ZyXEL Communications Corporation. 256
Certificate Policies
A Certification Practice Statement.
G05. What is a Certification Authority?
A Certification Authority is a trusted third party that verifies the identity of an applicant registering for
a digital certificate. Once a Certification Authority is satisfied as to the authenticity of an applicant's
identity, it issues that person a digital certificate binding his or her identity to a public key. (Digital
certificates are also issued to organizations and devices, but we will focus on people for the purposes
of this discussion.)
G06. What is a digital certificate?
An electronic credential that vouches for the holder's identity, a digital certificate has characteristics
similar to those of a passport – it has identifying information, is forgery-proof, and is issued by a
trusted third party. Digital certificates are published in on-line directories. Typically , a digital
certificate contains:
The user's distinguished name (a unique identifier)
The issuing Certification Authority's distinguished name
The user's public key
The validity period
The certificate's serial number
The issuing Certification Authority's digital signature is for verifying the information in the digital
certificate.
G07. What are public and private keys, and what is their relationship?
A PKI uses asymmetric cryptography to encrypt and decrypt information. In asymmetric cryptography,
encryption is done by a freely available public key, and decryption is done by a closely guarded
private key. Although the public and private keys in a particular key pair are mathematically related, it
is impossible to determine one key from the other. Each key in an asymmetric key pair performs a
function that only the other can undo.
G08. What are Certificate Policies (CPs)?
Certification Authorities issue digital certificates that are appropriate to specific purposes or
applications. For example, in the Government of Canada Public Key Infrastructure, digital certificates
for data confidentiality are different from those used for digital signatures. Certificate Policies