Ecommerce Implementation  «Prev  Next»
Lesson 9 Certificate issues
ObjectiveDescribe the issues associated with using digital certificates.

Certificate Issues | Associated with Digital

Certificate shortcomings

When deciding how to use certificates, remember their shortcomings as well as their capabilities. Certificates:
  1. Do not provide absolute proof of identity
  2. Do not allow for selective disclosure
  3. Are costly

In addition, your certificate password should be secured.

Certificate Password Security

During the digital certificate creation, you created a pass phrase. This pass phrase is never used again unless you need to revoke the certificate. Your clients will never use it. If someone gains access to your certificate on the server, this pass phrase is only a symmetric key for encrypting the private key on the physical hard drive. It is much easier to break symmetric keys. Therefore, make sure you physically secure your server. Also, proper choice of a good password significantly raises the private key's protection level. If the key is physically copied, it is still useless without the key to decrypt and use it. It cannot be used or installed without this key. On the other hand, loss of this key compromises your own ability to use the certificate, so this information should be well protected.

Authentication, not proof

The possibility always exists that a hacker stole files from a user's hard drive and cracked the password. This would completely invalidate a certificate. Also, average users tend to assume that a certificate is foolproof and that anyone presenting a certificate is legitimate. This is not the case.

Users and group membership

Many e-commerce sites create specialized user groups, as well as accounts that involve user names and passwords. If you wish to authenticate users for each of these groups, certificates are not the answer. Although you can use a certificate for basic authentication and creating an SSL session, today's certificates do not contain enough information about the user to facilitate automatic group placement or user account creation. You can require that all users first establish an SSL session, then enter information. You will then have to create a separate authentication session for users to enter the group.

Selective disclosure

Certificates do not allow selective disclosure[1] of information. In other words, there is no way to reveal only certain fields of the certificate to certain users. Currently, if you need to have a coworker retrieve your email for you, you need supply only your password. However, if you are using certificates, this legitimate activity is not feasible. Digital certificates are currently an "all or nothing" proposition.
One way to get around this is the use of portable technologies, such as smart cards and similar physical storage methods.
These issues with digital certificates are being addressed, but you need to be aware of the current barriers to implementation.


Digital certificates are not free, and they require eventual renewal. You should factor these costs into your business plan. Although certificates are not prohibitively expensive, they require a certain commitment from e-commerce vendors.
In the next lesson, we will discuss SSL transactions.

Digital Certificates - Quiz

Click the Quiz link below to take a multiple-choice quiz on digital certificates and CAs.
Digital Certificates - Quiz

[1]Selective disclosure: The ability to reveal only portions of a digital certificate. As yet, this is not possible in an e-commerce setting.

Digital Certificates