The Role of CAs in PKI

Hi,

This question concerns the role of certificate authorities. How I understand PKI thusfar is that it's simply the use of asymmetric cryptography to protect data. I hope that much I have right.

Next, I've been looking for info on what exactly CAs do. What is their role in all of this? In other words, would it be possible to have PKI without a certificate authority and have each keep and issue their own public/private key pair?

If anyone is confused I can clarify this.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

You can do asymmetric encryption (public/private keys) without a CA, but CAs are an integral part of a PKI.

CAs are essentially used to very that the certificates are trustworthy and valid. Would you feel better about entering sensitive information on a website that created it's own certificate, or one that was backed by a CA like Verisign?

msbachman

dynamik wrote: »

Would you feel better about entering sensitive information on a website that created it's own certificate, or one that was backed by a CA like Verisign?

Yeah, you've got a point there...but can't certificates just be spoofed?

dynamik

Not if they're backed by a CA. The security can be compromised, and if that happens, the CA revokes the certificate (which is another important function of CAs).

RobertKaucher

Yes, even if it's backed by a CA. But this type of stuff is not "just" spoofing.
Rogue SSL certificate exploit puts VeriSign on the spot - Network World

Man in the middle attacks are far more likely.
http://www.networkworld.com/community/node/43983