Aren't digital certificates and digital signatures two different things? Self-signed digital certificates cannot...
be non-repudiated, right? My thinking is that XML signatures and digital signatures are a security level above basic certificate-based authentication. Is this correct?
Yes, digital certificates and digital signatures are quite different. Digital certificates are used to verify the trustworthiness of a website, while digital signatures are used to verify the trustworthiness of information. In the case of digital certificates, an organization may only trust a site if the digital certificates are issued by the organization itself or by a trusted certification source, like Verisign Inc. But, this doesn't necessarily mean that the content of the site can be trusted; a trusted site may be infiltrated by a hacker who modifies the site's content.
Digital signatures create a check-sum for the information within an object so the recipient can verify that the content was received unaltered. For example, if you were to send a signed Microsoft Word attachment in an email, and a man-in-the-middle attack occurred in which a hacker somehow got a hold of the attachment in transit, and inserted a malicious piece of code, when the recipient's application examined the attachment before opening it, the content check-sum would not match the altered Word attachment and it would alert the recipient that the content was modified in some way from the original.
Something else to consider: Organizations using digital certificates don't require a relationship with the remote site; they just need the ability to identify which digital certificate authority was used by the site to validate it. However, in the case of digital signatures, the recipient must have a relationship with the sender or hosting site. This relationship is needed to establish where and how the check-sum information will be sent, preferably through a communication channel other than the one used for transportation of the content, in order to reduce the chance of modification. You don't want a hacker to have the ability to modify both the content and the digital signature check-sum. In an un-trusted environment, such as business-to-business (B2B) dealings over the Internet, ideally you would connect to a site using a trusted digital certificate where any content available for transfer was digitally signed to ensure it was unaltered.
Dig Deeper on PKI and digital certificates
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading