2.1USER WERE ALLOWED TO ISSUE CERTIFICATES, IT WOULD BE NO DIFFERENT...

6.2.1user were allowed to issue certificates, it would be no different from that user simplysigning the data. For a certificate to be of any use, it must be issued by a trusted entity – anentity that both the sender and receiver trust. Such a trusted entity is known as a certificationauthority(CA).Third-party CAs such as VeriSign or Entrust can be trusted because they arehighly visible and their public keys are well known to the IT community.When you areconfident that you hold a true public key for a CA, and that public key properly decrypts acertificate, you are then certain that the certificate was digitally signed by the CA and noone else. Only then can you be positive that the public key contained inside the certificateis valid and safe.In a third-party, or external PKI, it is up to the third-party CA to positively verify theidentity of anyone requesting a certificate from it. Beginning with Windows 2000,Microsoft has allowed the creation of a trusted internalCA – possibly eliminating the needfor an external third party.With a Windows Server 2003 CA, the CA verifies the identity ofthe user requesting a certificate by checking that user’s authentication credentials (usingKerberos or NTLM). If the credentials of the requesting user check out, a certificate isissued to the user.When the user needs to transmit his or her public key to another user orapplication, the certificate is used to prove to the receiver that the public key inside can beused safely.In the analogy we used earlier, the state driver’s licensing agency is trusted because it isknown that the agency requires proof of identity before issuing a driver’s license. In thesame way, users can trust the certification authority because they know it verifies theauthentication credentials before issuing a certificate.

CA Hierarchy

EXAM