Digital Certificates, CAs, and Trust

Although public key cryptography indisputably fills a critical niche, it cannot by itself provide identification and authentication services, i.e., “Who are you, and can you prove it?” How can the user be certain that a public key really belongs to the named person, company, or computer?

For public key cryptography to be useful, users must be confident that the public keys they use truly belong to the intended parties and that they have not been falsified or stolen. This is where digital certificates come in. In its simplest sense, a certificate is a digitally signed statement issued by a trusted entity that someone with a particular “identity,”—a name of a person, company, or computer—owns a public key for a specific period of time. While seemingly simple in concept, certificates are the hardest part of making public key cryptography work in the real world.

Users need to trust the entities—the people and software known as certificate authorities, or CAs, that issue certificates. In particular, users must believe that CAs can adequately verify the identity of the person or machine to whom they issue certificates.