next up previous
Next: 3.3.8 What about non-repudiatability Up: 3.3 Data Security: Cryptography Previous: 3.3.6 What about authenticity?

3.3.7 Is the certificate trustworthy?

Because it comes from an organization that you trust. If I hand you my driver's license to identify myself, you accept it as valid identification because you trust the organization that issued me the license, namely the government of my state.

If I am a catalog sales merchant and you obtain my public key from some place on the Internet, it might have both a certificate from my company and a certificate from my company's bank attached to it. This is a way of saying, ``Look, it's not just Acme Sales Corp. that says this public key is from our designated representative, but First National Bank says so, too.'' Presumably, for First National Bank to issue such a certificate, I (or someone from my company) had to prove myself to be a representative of Acme to the appropriate person at First National.

As you can see, there is a notion of a ``hierarchy of trust'' associated with public keys and certificates. At the top of the hierarchy is some organization that we trust implicitly. With checks and credit cards, we have to trust the banks that issue them. With currency we have to trust the government that issued it.

A trusted organization that issues certificates on behalf of others is called a ``certifying authority'' (CA).


next up previous
Next: 3.3.8 What about non-repudiatability Up: 3.3 Data Security: Cryptography Previous: 3.3.6 What about authenticity?
Denis Arnaud
12/19/1997