Wireless Security.pdf - PDF Archive

230 Chapter 9
key hidden from the public, then the user can be fairly certain that the unknown certificate has
been verified by the “ trusted ” third-party CA. As long as the CA is trusted by the user, then
verification via this mechanism extends that trust to the unknown party.
Obviously, the trust in the CA is the most important link in a PKI chain. If you do not
trust the company doing the signing, then there is no guarantee that a signed certificate
has any validity whatsoever. However, CA’s rely on trust, so their reputation, and hence
their profits, are directly tied to the verification of certificate holders. Through traditional
and physical means, a CA will usually follow up on the identity of a certificate holder
before providing an authorized digital signature. The caveat here is that the CA provides
only a guarantee that the certificate matches the person (or entity) providing it, not that
the person is inherently trustworthy. It is completely up to the recipient of the certificate
doing the verification to decide if the provider is trustworthy.
Certificate Authorities can also extend trust to other companies or entities that provide
signing services under the umbrella of the root CA’s trust. These companies are called
“ intermediate Certificate Authorities. ” An intermediate CA has its own root certificate
that is actually signed by the root CA. Through this hierarchy, trust can be extended
from the root CA to the intermediate CA, and finally to the end user. This hierarchy of
extended trust is typically referred to as a “ certificate chain, ” since the authentication
forms a chain from the root CA to the end-user certificates. This chain is precisely
like the governmental hierarchy from the analogy above, where the root CA is like the
government, the intermediate CA is like the Department of Motor Vehicles, and the enduser
certificate is like the driver’s license. For better or worse, however, a CA is not an
elected body, but rather a company that has established itself in the industry as a trusted
signing entity. The foremost example of a root CA operating at the “ governmental ” level
is Verisign. A quick look in any web browser at the built-in certificates will show a large
number of Verisign certificates, or certificates from intermediate CA’s that are covered
under the Verisign PKI—see Figure 9.11 for a comparison with our previous driver’s
license example.
PKI is definitely not the only way to provide a network of trust for digital documents,
but it has become the de facto standard because of the perceived trustworthiness in
paying for authentication. One of the major drawbacks of PKI is that a single company
or small group of companies controls the entirety of trust on the Internet, creating both
a bottleneck and a single point of failure. Some security experts are of the opinion that
www.newnespress.com