Re: Certificate authorities

From: Chris Ridd <chrisridd@xxxxxxx>
Date: Wed, 29 Oct 2008 19:11:44 +0000

On 2008-10-29 17:51:08 +0000, Jack Gaskella <gaskella@xxxxxxxxxx> said:

I posted this in mozilla.support.firefox and received no response yet. Anyone
here know?

This stuff is all described fully by the X.509 standard. For a gross simplification, read on...

CAs are organizations that certify the identity of somebody else.

Verisign is an example of an organization that runs a CA. (Actually lots of CAs.)

An SSL web server is considered an identity of something. You can have "secure" Internet email as well, and then your email address is a secure identity.

When a CA certifies something, the thing gets a digital certificate. Digital certificates are unforgeable as far as anyone knows.

CAs also have digital certificates.

So when you connect to an SSL web site, you need to work out whether you trust the web site or not. If you don't, you don't connect.

One way to trust a web site is to tell your web browser a list of SSL certificates that you explicitly do trust.

That doesn't scale too well, so what you can do instead is to tell your web browser a list of CA certificates. If one of those has issued a particular SSL certificate, you trust the web site.

There are far fewer CAs than SSL servers, so this scales much better.

in preferences/advanced/encryption/view certificates. What are certificate
authorities and what
happens if I delete them all? there are several dozen of them. Regards, J

If you delete them, you will have to manually agree to every SSL connection that you make. That would probably be quite annoying.

But on the other hand, maybe you have a different idea of which CAs are trustworthy, to the Mozilla organization's.

I'd be inclined not to delete them.
--
Chris

.

Follow-Ups:
- Re: Certificate authorities
  - From: Jeff Wiseman

Prev by Date: Re: Function Keys and Spark
Next by Date: Re: Function Keys and Spark
Previous by thread: Wireless for G3?
Next by thread: Re: Certificate authorities
Index(es):
- Date
- Thread

Relevant Pages

Re: Disabling SSL
... In IIS Manager, right-click on website, properties -> directory security ... tab, click "edit" in the SSL section, and uncheck "require SSL". ... These certificates have been created internally by previous developer. ... secured web site which is hosted on this server. ...
(microsoft.public.inetserver.iis.security)
Re: autoenrolment/certificate questions
... If we now create our own version 2 template "workstation ... Supersedeing is the recomended way of doing this, the old certificates will ... CAs is to just configure them to issue the same templates and have the same ... > are appearing in the local cert store of all the clients. ...
(microsoft.public.windows.server.security)
RE: Can you impersonate a client side cert??
... The mistake you're making is in thinking that the user's public key is ... along with a number of other public keys from other CAs that are ... In authenticating a user using certificates, the server has to ask itself ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)
Re: Proposal for a new PKI model (At least I hope its new)
... Those "few dozen CAs" do not allow you to become your own signing authority ... email, server, and code signing certificates under your entire domain. ... >> authoritative DNS server? ...
(sci.crypt)
Re: MOM Management Pack for Certificate Services
... > preliminary list of features that would be 'neat'. ... > CAs, since only one CA would be rather easy to manage independently. ... > - Provide full CA database status information for all CAs ... > - Notification on pending certificates needed to be approved ...
(microsoft.public.windows.server.security)