Authentication Is Not for the Party Being Authenticated

Many people would be surprised to learn that the purpose of digital certificates is not to enable encryption. Our IT systems are frequently engineered not to enable encryption unless certificates are in place (most obviously when connecting to a web site using a popular desktop or mobile browser), but that decision is in recognition of the original purpose of certificates, which is to authenticate the identity of a participant in a digital transaction.

That’s why they’re called certificates. They certify.

This point of confusion leads many of the people who need certificates to sometimes puzzle over the why they are required at all. If a certificate authenticates your identity, you may begin to question the point of having it. After all, you know who you are. Why do you care if someone else confirms it?

I explain the difference with the analogy of offline identification, let’s say a passport. I have a passport that includes my name and my photo. Why do I need this document? I know my name, and I know what I look like.

The answer, of course, is it’s not for me. It’s for other people. The customs agent at the airport is a perfect example. This person doesn’t know my name and my face, and for our systems to run effectively this person needs to be able to establish who I am.

The same is true of digital certificates. You may be the most honest and trustworthy business in the world, the gold standard for customer service and IT security. You don’t need authentication to know it’s your business. But others need it to know they’re really connecting to you.

The web browser once again provides the example we’re all familiar with. Is this really my bank or a phishing site attempting to steal my login? But any digital connection holds the potential for some kind of man-in-the-middle or fraudulent identity attack. Certificates combat these attacks.

To learn more about certificates, watch the helpful video explaining Secure Sockets Layer (SSL).