38 for which it is valid. The key component that is missing is the issuers certificate. The issuers certificate is the key component for verifying the validity of a certificate because it contains the issuers public key, which is necessary for verifying the signature on the subjects certificate. By signing a certificate with the issuers private key, anyone that has the issuers public key can verify its authenticity. The signature serves as a safeguard to prevent tampering. By signing the subjects certificate, the issuer asserts that it has verified the authenticity of the public key that the certificate contains and states that it may be trusted. As long as the issuer is trusted, the certificates that it issues can also be trusted. Its important to note that the issuers certificate or public key may be contained in an issued certificate. Its more important to note that this information cannot be trusted to authenticate the certificate. If it was trusted, the element of trust established from a third party is effectively eliminated. Anyone could create another key pair to use in signing a certificate and place that public key in the certificate. Certificates are also created with a serial number embedded in them. The serial number is unique only to the issuer of the certificate. No two certificates issued by the same issuer should ever be assigned the same serial number. The certificates serial number is often used to identify a certificate quickly.

3.1.1 Certification Authorities

A Certification Authority CA is an organization or company that issues certificates. By its very nature, a CA has a huge responsibility to ensure that the certificates it issues are legitimate. That is, the CA must ensure beyond all reasonable doubt that every certificate it issues contains a public key that was issued by the party that claims to have issued it. It must be able to produce acceptable proof for any certificate that it issues on demand. Otherwise, how can the CA itself be trusted? There are two basic types of CAs. A private CA has the responsibility of issuing certificates only for members of its own organization, and is likewise trusted only by members of its own organization. A public CA, such as VeriSign or Thawte, has the responsibility of issuing certificates for any member of the public, and must be trusted by the public. The burden of proof varies depending on the type of CA that has issued a certificate and the type of certificate that is issued. A CA must be trusted, and so for that trust to be extended, its certificate containing its public key must be widely distributed. For public CAs, their certificates are generally published so that anyone can obtain them. More commonly, the software that makes use of them, such as a web browser, is shipped containing them. Most often, the software allows certificates from other CAs to be added to its list of trusted certificates, thus facilitating the use of private CAs with off-the- shelf software.

3.1.1.1 Private Certification Authorities

A private CA is often ideal for use in a corporate setting. For example, a company could set up its own CA for email, using SMIME as the standard for encrypting and authenticating email messages. The companys CA would issue certificates to each employee, and each employee would configure their SMIME-capable email clients to recognize the companys CA as being trusted. For a private CA, verifying the identity of a subject is often a reasonably simple and straightforward matter. When used in a corporate environment, for example, employees are known, and their identities can be easily identified using information obtained from the companys human 39 resources department. In such a scenario, the human resources department is said to be acting as a Registration Authority RA.

3.1.1.2 Public Certification Authorities

A public CA commonly issues certificates for public web sites requiring encryption andor authentication, often for e-commerce in which customer information must be transmitted securely to place an order. For such operations, its essential that the customers transmit their information to the site that is supposed to be receiving it without worrying about someone else obtaining the information. For a public CA, verifying the identity of a subject [1] is considerably more difficult than it is for a private CA. The information required from the subject to prove its identity to the CA varies depending on whether the subject is an individual or a business. For an individual, the proof required could be as simple as a photocopy of a government-issued ID, such a drivers license or passport. For a business or other organization, similar government documentation proving your right to use the name will also likely be required. [1] As we mentioned in Chapter 1 , this is technically the job of an RA instead of a CA, but the CA generally deals with the RA transparently. Its important to note that most public CAs provide their services to make money, and not to simply benefit the public. They still have a responsibility to verify a subjects identity, but not actually guarantee anything—the liability is too great to provide an absolute guarantee. Certainly, it is in the CAs best interests to verify a subjects identity to the best of its ability, however. If a CA gains the reputation of issuing certificates to anyone who asks and pays them enough money, theyre not going to remain in business for very long because nobody will trust them.

3.1.2 Certificate Hierarchies