Cryptography Reference
In-Depth Information
Figure 5.4:
Sample of trusted root authorities in IE 8
X.509 is designed to allow delegation of signing authority. A top-level CA can
issue and sign a certifi cate to, for instance, a “west coast” authority and an “east
coast” authority. These authorities can sign certifi cates on behalf of the top-level
CA. The receiver fi rst verifi es that the lowest-level certifi cate is valid according to
the delegated authority's certifi cate. Then it checks the signature of the delegated
authority against that of the root-level authority as illustrated in Figure 5-5.
root
delegate
server certificate
Figure 5.5:
Certificate authority delegation
This way, the verifi er — for example, the web client — only needs to keep
track of a small number of root CAs. A handful of trusted root authorities can
Search WWH ::
Custom Search