🔐

X.509 Certificates and Trust Models

Sep 3, 2025

Overview

This lecture explores X.509 digital certificates, their structure, revocation, and alternatives like the web of trust for establishing identity and trust.

X.509 Certificates

  • X.509 is the standard defining the format of digital certificates.
  • First issued in 1988; current version is X.509 v3.
  • Certificates include a version field specifying the X.509 standard used.
  • Serial number uniquely identifies the certificate, assigned by the Certificate Authority (CA).
  • Certificate signature algorithm field shows which public key and hashing algorithm is used.
  • Issuer name identifies the CA that signed the certificate.
  • Validity field contains "not before" and "not after" dates showing when the certificate is valid.
  • Subject field identifies the entity to which the certificate was issued.
  • Subject public key info includes the public key algorithm and the actual public key.
  • Certificate signature value holds the digital signature data.
  • Certificate fingerprints are hash digests of the whole certificate, computed by clients; not stored in the certificate.
  • Certificate Revocation List (CRL) provides a list of certificates that are no longer valid.

Web of Trust

  • Web of trust is a decentralized alternative to PKI where individuals sign each other's public keys.
  • Identity is verified in-person, typically by checking identification documents.
  • Signing a public key vouches for the key-owner's identity.
  • Key signing is often mutual; both parties sign each other's keys.
  • Key signing parties gather people to verify and sign each other's keys, expanding trust.
  • Trust networks grow as signed members bring in new, verified members, bridging different webs of trust.

Key Terms & Definitions

  • X.509 — Standard for digital certificate format.
  • Certificate Authority (CA) — Entity that issues and manages certificates.
  • Certificate Revocation List (CRL) — List of revoked, invalid certificates.
  • Certificate fingerprint — Hash digest of the entire certificate, used for validation.
  • Web of Trust — Decentralized trust model where individuals mutually sign public keys.

Action Items / Next Steps

  • Review the structure and fields of an X.509 certificate.
  • Understand procedures for certificate verification and revocation.
  • Explore practical examples of web of trust and how key signing parties work.

View note source

https://d3c33hcgiwev3.cloudfront.net/V8XR1-z3RyuVq3zy4w7lTg.processed/full/720p/index.mp4?Expires=1757030400&Signature=QQM7N9ucb908YYP1JOY9qfl~9W87CCbGC3WP~fXKLlrpn9m0gXiqcDMlY3H-NSMIsbzAdjxvPnuYX7mQRBDqOoLWhvs4brDsS77YFZt31ZnIp76jzcKrdLJZ4b8cS-n-ZgIMMWkwFNT18Qx0AxJgRbHpOa9IblW6ujEArQW5qx4_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A