In today's society, individuals and businesses conduct an ever-increasing amount of activities on and over computer systems. These computer systems, including proprietary and non-proprietary computer networks, are often storing, archiving, and transmitting all types of sensitive information. Thus, an ever-increasing need exists for ensuring data stored and transmitted over these systems cannot be read or otherwise compromised.
One solution is to secure the data using keys of a certificate authority. Certificate authorities may be run by trusted third-party organizations or companies that issue digital certificates, such as, for example, VeriSign, Baltimore, Entrust, or the like. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. Requests for a digital certificate may be made through digital certificate protocols, such as, for example, PKCS10. In response to a request, the certificate authority will issue a certificate in a number of differing protocols, such as, for example, PKCS7. Messages may be exchanged between devices based on the issued certificates.
If the certificate authority is compromised, then the security of the system may be lost for each user for whom the certificate authority is certifying a link between a public key and an identity. For example, an attacker may compromise a certificate authority by inducing that certificate authority to issue a certificate that falsely claims to represent an entity. The attacker would have the private key associated with the certificate authority's certificate. The attacker could then use this certificate to send digitally signed messages to a user, and trick that user into believing that the message was from the trusted entity. The user may respond to the digitally signed messages, which the attacker may decrypt using the private key. Accordingly, the trust that the user placed in the certificate authority may be compromised.