In the context of a PKI, certification is the act of binding a subject name (and potentially other attributes) with a public key. As discussed previously in this chapter, this binding occurs in the form of a signed data structure referred to as a public-key certificate. A Certification Authority (CA) is responsible for issuing these public-key certificates. (See Box 6.4.)
Box 6.4 Certificate Authority versus Certification Authority
A CA is sometimes referred to as a certificate authority rather than a Certification Authority in much of today's literature. Although it may be too late to stop the growing use of this term, we would like to point out that using this term to denote a CA is technically (and logically) incorrect. There is no such thing as a "certificate authority" in X.509, and the implication that a CA is an authority on certificates is somewhat misleading. Specifically, a policy authority (or policy management authority) is the authority on certificates; the CA is simply an instrument that issues certificates in accordance with the Certificate Policy dictated by the policy authority. The term Certification Authority is used throughout this book because a CA is an authority on the process of certification.
These certificates are digitally signed with the private key of the issuing CA.
Because the issuing CA digitally signs certificates, they are self-protected from an integrity perspective. Thus, the certificates can be freely disseminated, assuming that they do not contain any sensitive information. (In Chapter 11, we discuss the difficulties associated with the dissemination of certificates that might be considered sensitive in nature.)
The CA can take on a number of different representations, depending on the trust model embodied by that CA. For example, in an enterprise domain, one can expect one or more CAs to be responsible for issuing certificates to the employees of the enterprise. The employees essentially place their "trust" in the enterprise CA(s).4
A completely different architecture is reflected in the PGP "web of trust" model where individuals can act as their own CA, and all trust decisions lie with the individual rather than a remote CA. (Chapter 9 provides a more detailed discussion regarding trust models and the role a CA plays in relation to those trust models.)