First TLS is just upgraded version of SSL after SSL failed to fully contain the shortcomings of its looseends. TLS came in to resume, made improvements over top of SSL and has been now go-to technique for digital communication over internet.
Here are the few resources I found useful:-
You know you are lucky if you can find a good MIT OCW video on this topic. This is a great discussion on the topic.
So based on all the resources I have come to following understandings:-
The Root CA (certificate authority) when acknowledged by your browser is the first line of https communication. If your certificate issuer is not root CA, then you traverse through this intermediate chain of issuers (can be called ca-chain certificate or intermediate certificate) until it reached the trusted root-ca.cert.
Then, once the browser establishes the trust of your root-ca, it does a series of handshake which is done using public key of the server and client over http. After the initial handshake, a mutual secret key is agreed upon by server and client to encrypt and decrypt the message.
Also forgot to mention that the client proposes the list of encryption it supports and server selects the most recent one from top to bottom. Top most being most secure. RSA is one of the encryption mechanism.
Where does it fit with TCP/IP OSI Layer.
From the OCW lecture one thing to note is, Kerberos was the first protocol to solve client-server secure communication but it lacked in many areas like scalability, single-point-of-failure, slowness etc that it was not right tool for current internet systems.
This seems like a great website to learn about openssl.
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
Also liked this website on understanding of intermediate certs.
https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/
===
Here's two part series on How does Digital certificate and chain of trust work?
No comments:
Post a Comment