[Back|
Home|
Programs|
Documentation|
Internet|
People]
Certifying Authority
A CA, or certifying authority, issues, signs, and revokes certificates. By signing a certificate that the CA issues, the CA is attesting to the identity of that person or an organization. A CA must have a certificate, i.e. have its own public and private key pair. The CAís certificate works like any other certificate in that it is used to identify the Internet entity. Since the CA needs a certificate the CA must obtain a certificate some how. The CA can generate its own certificate if the CA is a trusted CA. When a CA is a trusted CA you trust the CA to issue good certificates and you trust the CAís identity. A trusted CA is also called a trusted root CA if the CA is part of a CA chain.
There are trusted, commercial CA's such as VeriSign from which you can purchase a certificate. You can buy a full certificate from Verisign, or if you would just like to "play" with a certificate you can request a free, trial certificate. Verisign is not the only trusted commercial CA out there, and in fact many other CA's that are "trusted." If you do choose to buy a certificate Verisign will have to validate your identity before they issue the certificate. Since certificates establish Internet identity the CA must make sure that the name on the certificate is really the name of the person receiving the certificate. Imagine the fun you could have if you were able to receive a certificate in the name of Bill Gates. For that reason the person requesting the certificate must go in person, with valid ID, to a notary public to establish identity. Once the CA is sure of your identity the CA can issue you a certificate. When requesting a certificate from a CA your browser will create a public and private key for you. The private key is then stored on your local computer while your public key is sent to the CA so that it will be part of the certificate. It is very important that the client generate the private key since it must be kept private. Once you have a certificate you will most likely install it in your browser, for reason which will be explained later.
A trusted CA is one that you trust to issue valid certificates, really what you are trusting is that the CA will do a good job verifying the individuals identity before the certificate is issued. A big, commercial CA, such as VeriSign, is trusted by the Internet community in general, and therefore your browser automatically trusts certificates that were issued from this CA. All browsers today have a list of CA's that are trusted, you can view the CA's that your browser trusts through the security option under most browser or by finding certificates under the help menu. You can change the CA's that your browser trusts by adding or deleting them from the list. Unless you know what you are doing it is not a good idea to modify this list. By adding a CA to the list you are saying that you will accept any certificate issued by this CA and in doing so trust that the CA is actually verifying the identity of individual s before certificates are issued. Remember that certificates can identify a web site, and do under SSL, so be cautious about adding CA's to your list. By deleting a CA your browser will not accept certificates issued by that CA. When a web site uses a certificate to verify itís identity it chooses one of the commercial CA's that is already trusted in your browser so you do not get any error messages. The UCSD Studentlink site uses a certificate to verify itself to you, and by deleting that CA you will get an error message when you try to connect.
There are CA's that are not trusted in the Internet community that you may want to trust. These CA's are usually CA's that will issue certificates to employees in a corporation. These CAís should be trusted only by the employees of that company, but not the rest of the world. An important fact to remember is that anyone can set up a CA, but whether the CA will be trusted is up to each individual.
CA's can also be based hierarchically; the root CA would be the a trusted CA. This CA and can certify subsidiary CA's, by issuing certificates to those CAís, which can in turn certify other CA's. This situation is useful for very large organizations like the military. The DoD (Department of Defense) could have one trusted root CA, that all military and DoD employees would have to trust. This root CA could then issue certificates so that Navy, Army, Pentagon, etc could each have their own CA. The Navy's CA could then issue certificates to Navy personal even though the Navy CA is not a trusted root CA. Since the DoD CA, which issued the Navy CA's certificate, is a trusted root CA the certificate will be validated once the CA chain is traversed. The validation process will be described later on the certificate page. The hierarchy of CA's could theoretically be infinitely long as long as there is a trusted CA at the top of the chain.
Other functions that CAís must perform are certificate management and certificate revocation. These functions create more confidence in the authentication process. If it is known that 1) someone's certificate or key has been compromised, 2) that a certificate or key is old, or 3) that an individual has left the organization, that specific certificate must be revoked. A a certificate has been revoked the certificate will not be authenticated.
Click here to return to certificates.
Send your comments and sugestions to
rrwallac@ucsd.edu
Contact information
URL: http://sdcc10.ucsd.edu/~rrwallac
e-mail: rrwallac@ucsd.edu
[Back|
Home| Programs|
Documentation| Internet|
People]