Certificates
Request Certificates for an Application. Utilize transport and signing certificates to securely get data from other organisations.
Raidiam Connect enables organisations to obtain digital Certificates that can be used for:
- Transport: In mutual TLS (mTLS) authentication, both the client and the server authenticate each other using their respective certificates. During the handshake process, the server presents its certificate to the client, which verifies it against Raidiam's Certificate Validation Service. Similarly, the client presents its certificate to the server for verification. This mutual authentication ensures that both parties are trustworthy and authorized to communicate.
- Signing: Applications seeking access to resources from Data Providers can utilize signing keys to digitally sign their messages, thereby, enabling validation of their identity as well as granting non-repudiation. Signatures are often done by signing the JSON payload using the private key in possession of the Data Receiver, creating a JWT (RFC 7519). Since the signature can be verified only with the public key registered for an application, signing messages ensures that if any part of the message is altered after the message was signed, the signature is no longer valid. Additionally, the signature verifies whether the message was signed by a known and trusted sender who possesses the corresponding private key. Once a message is signed, the sender cannot deny sending the message or its contents as the message could only have been signed by the Private Key, which is possessed only by the sender. This property is crucial in scenarios where proof of message origin is necessary, also defined as non-repudiation.
- Encryption: Applications or Servers seeking to exchange data on unsecured channels, like the browser, can encrypt their requests (or parts of it) to ensure confidentiality and integrity of the transmitted data. In this process the Party that will send the message will use the other party's public key to encrypt the JSON object, generating a JWE (RFC 7516), which technically can only be converted back into a JSON with the receiving party's Private Key. Encryption ensures that the data contained in the request can only be read by the intended recipient. Even if an attacker intercepts the encrypted data, without the corresponding public (decryption) key, the data remains unintelligible and useless. Additionally, any unauthorized modifications to the encrypted data would fail to decrypt, alerting the recipient to potential tampering.
Those certificates can either be exported inside Connect, in case the ecosystem uses an external certificate authority or can be minted by the platform itself, in case the ecosystem is using the Raidiam Trust Framework Public Key Infrastructure.
Whichever option is available will depend on the existing ecosystem policy.