When a client has to exchange sensitive data with a website, he/she must easily decide whether to trust the site. Certificates were designed to serve this need, by making it possibly to partially verify a user’s identity. Certificates can be installed on any type of computer, but they in most cases are found on web servers.
With certificates, an organization purchases a certificate from a known Certificate Authority (CA) and installs it on its web server. The client implicitly trusts the CA and is therefore willing to trust certificate information signed by the CA. This model works well because it is unlikely that a malicious user will go to the expense of purchasing and installing a falsified certificate. The CA also keeps information about each registered user. On the other hand, a certificate does not in any way ensure:
– the trustworthiness of the server
– the safety of the application
– the legitimacy of the business
and in these ways certificates limited in scope.
Each certificate itself contains certain identifying information. It is signed with the CA’s private key to guarantee that it is authentic and has not been modified. The industry-standard certificate type, known as x.509v3, contains the following basic information:
– The holder’s name, organization, and address
– The holder’s public key, which will be used to negotiate an SSL session key for encrypting communication
– The certificate’s validation dates
– The certificate’s serial number
In some cases, a certificate includes business-specific information, such as the certificate holder’s industry, the length of time they have been in business, etc.
The two biggest CAs are as follows:
– Thawte: https://www.thawte.com
– VeriSign: https://www.verisign.com