abbr. "CA".

In the PKI world, and entiry which may sign a certificate.

An application will have a collection of trusted CA certificates. Before trusting the validity of an arbitary certificate, the application will check to see whether it has been signed by any of it's trusted CAs, or by a CA authorised to sign certificates by a trusted CA.

In essence, a Certificate Authority is an organisation which you as a user are expected to trust to only sign certificates after verifying the authenticity of the certificate with due diligence. Companies such as Verisign and Thwaite run commercial CAs.

This concept of trusting a central monolith (the original idea was that the United Nations would be the root CA for everyone, and everyone would hold their [infallibility to be self evident) is one way of managing certificates. If you find it difficult to trust large bodies, maybe the PGP Web of Trust model will be more appealing to you.

A necessary part of the PKI model. From now on, in short - CA.

A trusted company which signs third-party (a.k.a. customers) digital certificates, thus certifying on their authenticity and trust level. Before you get your certificate signed (for a fee, of course - this is similar to a notary notarizing your documents), you'll be required to present some official documents -- a procedure which reduces the risk that the third-party (you) is a fraud.

When an e-commerce site presents your web browser with its X509 digital certificate (a thing which happens when you connect to an HTTPS site), your browser will?

  1. See the certificate's "Issuer", which the certificate claims to have been issued by.
  2. Open its internal database of trusted major CAs (e.g. Verisign, Thawte), and find the one whose name corresponds to the "Issuer".
  3. Verify that the site's certificate was indeed signed by the CA (using the CA's certificate, and a bit of mathematics).

If the certificate ends up untrusted, the browser will alert you. This has created a big market of e-commerce sites which wish to be trusted by their customers, and vested a lot of control in the hands of popular browser vendors (Netscape and Microsoft). Since the browser vendors ultimately decide which CA certificates get shipped with their software, they decide which CA companies can do business. A CA whose certificate isn't trusted by the major browsers is worthless.

Technically, the CA is the root of the PKI trust tree (thus, the ultimate authority of trust), and its certificate is also called a "Root Certificate". Since there is no ultimate truth in our corrupted world, many commercial CAs sprung. The thick line distinguishing a real authority and a certificate every kid can generate (with OpenSSL or similar) -- is the embedding into the browsers. The web browsers' databases are static (their contents determined by whatever the vendor has put in them when the browser was shipped), and the winners are those which could get their certificates into those databases on time, prior to major browser releases. (This somehow reminds the situation with root name servers monopoly, in the center of which -- quite curiously -- Verisign stands now too.)

At the time of this writeup, Verisign (after acquiring Thawte) became world's monopoly on digital certification.

Log in or register to write something here or to contact authors.