Skip to content
Connect2id
JOSE

Validate vs verify in the context of cryptography

Writing specs and libraries requires excellent command of terminology. The concepts of validation and verification occasionally get mixed up in cryptography and so I looked for a good authoritative text to clarify the two terms and their correct use.

RFC 4949 – Internet security glossary, version 2, turned out to provide exactly what I needed:

On the difference between validate and verify:

Usage: To ensure consistency and align with ordinary English usage, IDOCs SHOULD comply with the following two rules:

  • Rule 1: Use “validate” when referring to a process intended to establish the soundness or correctness of a construct e.g., “certificate validation”). (See: validate.)

  • Rule 2: Use “verify” when referring to a process intended to test or prove the truth or accuracy of a fact or value (e.g., “authenticate”). (See: verify.)

Tutorial: The Internet security community sometimes uses these two terms inconsistently, especially in a PKI context. Most often, however, we say “verify the signature” but say “validate the certificate”. That is, we “verify” atomic truths but “validate” data structures, relationships, and systems that are composed of or depend on verified items. This usage has a basis in Latin:

The word “valid” derives from a Latin word that means “strong”. Thus, to validate means to check that a construct is sound. For example, a certificate user validates a public-key certificate to establish trust in the binding that the certificate asserts between an identity and a key. This can include checking various aspects of the certificate’s construction, such as verifying the digital signature on the certificate by performing calculations, verifying that the current time is within the certificate’s validity period, and validating a certification path involving additional certificates.

The word “verify” derives from a Latin word that means “true”. Thus, to verify means to check the truth of an assertion by examining evidence or performing tests. For example, to verify an identity, an authentication process examines identification information that is presented or generated. To validate a certificate, a certificate user verifies the digital signature on the certificate by performing calculations, verifies that the current time is within the certificate’s validity period, and may need to validate a certification path involving additional certificates.

“Verify signature” is the correct term, not validate

Deprecated Term: IDOCs SHOULD NOT use this synonym [valid signature]. This Glossary recommends saying “validate the certificate” and “verify the signature”; therefore, it would be inconsistent to say that a signature is “valid”. (See: validate, verify.)