The purpose of this Practice Directive is to provide guidance on Digital Certificates.
SSL secured session - An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client by using public-key techniques, and then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows.
Digital Certificate - A digital certificate is an electronic document which uses a digital signature to bind together a public key with an identity — information such as the name of a person, organization, and other attributes which uniquely identify the entity and their role. The certificate can be used to verify that a public key belongs to the entity claiming that identity.
Digital signatures- Digital signatures are used in lieu of handwritten signatures and help to both verify the entity that created a document or message as well as help ensure it hasn't been tampered with. Digital signatures at SF State must conform with Title 2, Division 7, Chapter 10, of the California Code of Regulations. At this time, SF State does not have or partner with a Certificate Authority for the creating and verification of digital signatures for the purpose of replacing handwritten signatures. Activities and records using such a system may instead still use the alternate to X.509 digital certificates whereby a check box checked by a uniquely authenticated users services as acknowledgement.
Securing Servers with SSL
Getting An SSL Certificate for Your Server
SSL stands for Secure Sockets Layer is a cryptographic protocols that can provide security and data integrity for communication over the Internet. It is design to prevent eavesdropping, tampering and message forgery and also provide endpoint authentication and communication confidentiality over the Internet using cryptography. SSL certs must be used when you are having users authenticate using their SF State credentials (SF State Id, password and/or other identifier.) The CSU is planning a centralized certificate issuing system both for servers and individuals under a central certificate authority (CA) in the future.
Using self-signed certificates is not advisable. Using self-signed certificates is insecure. SSL is built on trust between certificate authority and the SSL clients, if your certificate is self-signed, it gives the client machines no reason to trust that the proceeding connection is authentic. Furthermore, SSL is a very finicky protocol, using a self-signed certificate introduces a undesirable layer of complexity to implementing SSL.
Choosing a Certificate Authority (CA)
Depending on the level of security you wish to provide for service you can choose either a Class-1 certificate or a Class-2/3 certificate from VeriSign, GoDaddy, or DigiCert. Certificate Classes Explained
- Class-1 certificates require much less identity verification of the sender than Class-2. Intend for email or individuals usage.
- Information on other certificate classes are at Wikipedia
- Class-2 certificates are recommended when the data being exchanged over SSL is financial, medical or otherwise extremely sensitive in nature. These certificates require a greater amount of verification of the requesters’ identity, and are more greatly trusted by the SSL protocol. Intend for which proof of identity is required.
- Class-3 certificates are used when security is critical, and involves a greater degree of trust between with the CA for complex transactions that must stand up in court. Class-3 certificates are for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority
- Class-4 certificates are intended for online business transactions between companies.
- Class-5 certificates are intended for private organization or government security.
SF State Policy on Digital Signatures
Recenty, the Chancellor's Office has issued a requirement (refer Integrated CSU Administrative Manual Policy on Digital Signatures) that all campuses have a policy regarding the use of digital signatures on their campus.
At this time, SF State has no formally endorsed mechanism to issue X.509 certificates using either an in-house Certificate Authority (CA) or external CA. We anticipate and are actively supporting a centrally managed and single CA across the CSU and awaits its implementation.
At this time, the State of California allowance that allows a click/check mark in a box on a web form still meets California laws on a digital signature equivalents will be used for digitally signed forms where the user is uniquely identified by id, password and other acceptable authentication methods.
Responsibility for implementing this Practice Directive will rest with DoIT and Information Technology (IT) departments across campus. Submit any apparent violation of Digital Certification Busines Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to firstname.lastname@example.org.
Noncompliance with applicable policies and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.