Aren't digital certificates and digital signatures two different things? Self-signed digital certificates cannot...
be non-repudiated, right? My thinking is that XML signatures and digital signatures are a security level above basic certificate-based authentication. Is this correct?
Yes, digital certificates and digital signatures are quite different. Digital certificates are used to verify the trustworthiness of a website, while digital signatures are used to verify the trustworthiness of information. In the case of digital certificates, an organization may only trust a site if the digital certificates are issued by the organization itself or by a trusted certification source, like Verisign Inc. But, this doesn't necessarily mean that the content of the site can be trusted; a trusted site may be infiltrated by a hacker who modifies the site's content.
Digital signatures create a check-sum for the information within an object so the recipient can verify that the content was received unaltered. For example, if you were to send a signed Microsoft Word attachment in an email, and a man-in-the-middle attack occurred in which a hacker somehow got a hold of the attachment in transit, and inserted a malicious piece of code, when the recipient's application examined the attachment before opening it, the content check-sum would not match the altered Word attachment and it would alert the recipient that the content was modified in some way from the original.
Something else to consider: Organizations using digital certificates don't require a relationship with the remote site; they just need the ability to identify which digital certificate authority was used by the site to validate it. However, in the case of digital signatures, the recipient must have a relationship with the sender or hosting site. This relationship is needed to establish where and how the check-sum information will be sent, preferably through a communication channel other than the one used for transportation of the content, in order to reduce the chance of modification. You don't want a hacker to have the ability to modify both the content and the digital signature check-sum. In an un-trusted environment, such as business-to-business (B2B) dealings over the Internet, ideally you would connect to a site using a trusted digital certificate where any content available for transfer was digitally signed to ensure it was unaltered.
Related Q&A from Randall Gamby
Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby.continue reading
Bimodal IAM may be a new term, but this new way to use user credentials should probably already be in practice among secure organizations.continue reading
Reviewing credential dumps could potentially save identity information from being stolen and used in a data breach. Expert Randall Gamby explains why...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.