Security Basics mailing list archives
Re: Another basic PKI question
From: Francisco Andrades <fandrades () nextj com>
Date: Tue, 14 Oct 2003 14:02:03 -0400
Hi,You only need to trust the CA's root certificate. When you receive your signed certificate you also receive the whole chain up to the root certificate. When validating your certificate the whole chain will be checked, up to the root certificate. If the root certificate is trusted then the whole chain will be trusted (unless, of course, any of the certificates has been revoked).
That's the whole idea about PKI: you don't have to trust everybody, you trust the CA. If a whole organization is no longer trusted then the parent certificate of it's chain can be revoked, invalidating all certificates down the chain.
Roger A. Grimes wrote:
First, thanks to everyone who responded to my last question regarding PKI. (The answer to that one was that yes, both public and private keys can encrypt and decrypt (with most popular PKI protocols); but who encrypts and decrypts depends on whether you are signing or encrypting...but yes, the private key can encrypt. Thank you all.) New question: When I recieve a digital certificate, do I (or my browser) have to trust every PKI CA in the tree of trust heading all the way back up to the root CA, or just the closest CA to me in the chain of trust? I'm guessing it's the latter.
-- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Another basic PKI question Roger A. Grimes (Oct 14)
- Re: Another basic PKI question Jon Barber (Oct 14)
- RE: Another basic PKI question David Gillett (Oct 14)
- Re: Another basic PKI question Francisco Andrades (Oct 14)
- RE: Another basic PKI question Ronald Kiss (Oct 15)
- <Possible follow-ups>
- RE: Another basic PKI question Hols, Albert (Oct 14)