Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another basic PKI question

From: Francisco Andrades <fandrades () nextj com>
Date: Tue, 14 Oct 2003 14:02:03 -0400
Hi,
You only need to trust the CA's root certificate. When you receive your signed certificate you also receive the whole chain up to the root certificate. When validating your certificate the whole chain will be checked, up to the root certificate. If the root certificate is trusted then the whole chain will be trusted (unless, of course, any of the certificates has been revoked).
That's the whole idea about PKI: you don't have to trust everybody, you trust the CA. If a whole organization is no longer trusted then the parent certificate of it's chain can be revoked, invalidating all certificates down the chain. 

Roger A. Grimes wrote:

First, thanks to everyone who responded to my last question regarding PKI.

(The answer to that one was that yes, both public and private keys can
encrypt and decrypt (with most popular PKI protocols); but who encrypts and
decrypts depends on whether you are signing or encrypting...but yes, the
private key can encrypt.  Thank you all.)

New question:  When I recieve a digital certificate, do I (or my browser)
have to trust every PKI CA in the tree of trust heading all the way back up
to the root CA, or just the closest CA to me in the chain of trust?  I'm
guessing it's the latter.




--
Francisco Andrades Grassi
www.nextj.com
Tlf: +58-414-125-7415


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: