Aren't digital certificates and digital signatures two different things? Self-signed digital certificates cannot be non-repudiated, right? My thinking is that XML signatures and digital signatures are a security level above basic certificate-based authentication. Is this correct?
Yes, digital certificates and digital signatures are quite different. Digital certificates are used to verify the trustworthiness of a website, while digital signatures are used to verify the trustworthiness of information. In the case of digital certificates, an organization may only trust a site if the digital certificates are issued by the organization itself or by a trusted certification source, like Verisign Inc. But, this doesn't necessarily mean that the content of the site can be trusted; a trusted site may be infiltrated by a hacker who modifies the site's content.
Digital signatures create a check-sum for the information within an object so the recipient can verify that the content was received unaltered. For example, if you were to send a signed Microsoft Word attachment in an email, and a man-in-the-middle attack occurred in which a hacker somehow got a hold of the attachment in transit, and inserted a malicious piece of code, when the recipient's application examined the attachment before opening it, the content check-sum would not match the altered Word attachment and it would alert the recipient that the content was modified in some way from the original.
Something else to consider: Organizations using digital certificates don't require a relationship with the remote site; they just need the ability to identify which digital certificate authority was used by the site to validate it. However, in the case of digital signatures, the recipient must have a relationship with the sender or hosting site. This relationship is needed to establish where and how the check-sum information will be sent, preferably through a communication channel other than the one used for transportation of the content, in order to reduce the chance of modification. You don't want a hacker to have the ability to modify both the content and the digital signature check-sum. In an un-trusted environment, such as business-to-business (B2B) dealings over the Internet, ideally you would connect to a site using a trusted digital certificate where any content available for transfer was digitally signed to ensure it was unaltered.
Dig Deeper on PKI and Digital Certificates
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.