VeriSign and GlobalSign are two well-known CA businesses that provide
certificates to authenticate themselves to web browsers. But there are many others.
It is up to the recipient to collect only CA certificates from CAs which it trusts.
This is the Title of the Book, eMatter Edition
Copyright ?© 2007 O??™Reilly & Associates, Inc. All rights reserved.
202 | Chapter 5: Authentication and Encryption
Now the logical question of who signs the CA certificates arises. The answer is simple:
another CA signs it. The fact that CA certificates can be signed by higher CAs
gives the system an interesting property. Although the recipient might not explicitly
trust a CA (because it is not in the recipient??™s CA list), the recipient might trust the
higher-level CA that signed the untrusted certificate. If any CA is trusted, all CA signatures
under it can be trusted too.
However, the highest-level CA must always sign its own certificate. This is called a
self-signed certificate and is a common practice. A CA witha self-signed certificate is
called a root CA, because there??™s no CA above it. To trust a certificate signed by a
root CA, it must necessarily be in the recipient??™s trusted CA list.
5.2.4 X.509 Certificate Format
All digital certificates are currently encoded in X.509 certificate format. An X.509
certificate is no more than a plain text file that is arranged in a very specific syntax.
Pages:
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387