Security Guidelines

You will access Canada Post services securely through SSL using a digital certificate. To ensure communications remain secure, familiarize yourself with the following aspects of digital certificate validation.

Digital Certificate

A digital certificate is a part of a public key infrastructure (PKI). PKI is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate—through the use of public key cryptography—the legitimacy of all participants in an electronic transaction. A certificate authority (CA) issues the certificates. Each contains information such as subject, validity dates, issuer, and a public key.

Chain of Trust and Certificate Authorities

Digital certificates are verified using a chain of trust in a certificate hierarchy. In this hierarchy, each certificate is linked to the Certificate Authority above it in the hierarchy. This process repeats until the certificate of the root CA is reached. The root CA is the trust anchor for
the chain.

Certificate Validity

Every certificate is valid only for the time specified in the validity period. During authentication, this validity period is verified.

Certificate Revocation List

A certificate authority can revoke a certificate for one of many reasons, such as a compromise of the certificate’s private key. When a certificate is revoked, any chains under the revoked certificate in the hierarchy are invalidated and are not trusted during authentication. Revoked certificates are published by the issuer in a certificate revocation list.

Securing Your Application

Most application frameworks such as Java or .NET perform certificate validity and revocation checks by default. It is important to ensure that your application does not disable these checks. It is also important that the entire chain of trust is validated. In this way, spoofing and man-in-the-middle attacks can be mitigated.