Authentication

An assumption has been made in the preceding sections discussing digital signatures and envelopes that the identity of the owner of the public key used to encrypt or decrypt a message is established beyond doubt. But in practice, how would recipients of a message purportedly sent by a party named "Alice", accompanied by a digital signature that can be validated with a public key purported to belong to Alice, be sure that they are really using Alice's public key? And similarly, how would the sender of a message in a digital envelope encrypted with a public key purported to belong to an intended recipient named "Bob" be sure that it is really Bob's public key?

The use of physical documents to achieve authentication in the real world has been in existence for a long time. For example, when you write a check for some purchase and the merchant asks to see your driver's license, the license is being used to increase the merchant's confidence that you are who the check indicates you are. In this case the merchant trusts that the state that issued you the license did an adequate job of verifying your identity. Another example is the use of a passport when traveling. The customs official who looks at your passport and then accepts it as proof of your identity, trusts that your government did an adequate job of identifying you before issuing you a passport. Notice that in both examples there has to be a level of trust in the certifying authority.

In order to guarantee authenticity of public keys, Microsoft® Certificate Server provides digital certificates (commonly known as certificates) as a secure method of exchanging public keys over a nonsecure network.