1

During the SSL/TLS handshake we are checking the authentication of the client and the server.

During this process certificate chain also comes into the picture to trust/complete the certificate chain.

The question is, Why we need to trust the CA ? what are the things justifies that we should trust that CA ?

Thanks in advance.

2 Answers2

3

Why we need to trust the CA

We don't need to trust the CA but we could try to explicitly contact the owners of each website we visit to check if the certificate we get is the certificate they actually serve or if there is some man in the middle in between (which would result in a different certificate). Of course, you would need to have some protected way to contact the site owners so that a potential attacker could not just fake the reply of the site owner.

Of course, this does not scale well and that's why there is the Public Key Infrastructure (PKI) with trusted CA certificates as roots and certificates for the websites as leaves. For the exact process how this verification can be done by just using some trusted CA instead of trusting each sites certificate explicitly see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.

what are the things justifies that we should trust that CA ?

These are basically the same things that make you run the operating system created by some company, the browser created by some other company, have your mail managed by yet another company, buy food without the fear that it will be poisonous, drive a care without fearing that it will fall apart while driving ... - you trust that somebody else did a proper job and also will not deliberately betray you. This is essentially the basis on how people live together.

Of course, not all of that trust is justified: The CA might have been compromised or might have been ordered by the government to issue certificates which can be used to hijack specific communications. The browser or operating system might have backdoors. The food might be poisoned. Somebody might have planted a bomb at the car. But that's the risk one is usually willing to take because it is small enough. Of course, depending on where you live it might actually be an unbearable risk so you might need to take additional measures to protect you and your communication.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
1

That is equivalent to saying 'how can we trust police ?'.

Everything works hierarchically. Browsers and devices trust a CA by accepting the Root Certificate into its root store – essentially a database of approved CAs that come pre-installed with the browser or device. Windows operates a root store, as does Apple and a few other big ones. So basically, they are so powerful that they enforced browsers to automatically accept them as the most trusted and therefore if you trust them, you trust their 'IDs' too. Equivalent: Your citizen ID card which is emitted by your government and anyone will recognize it as trusted. This is the highest trust level.

Now if an entity is not that powerful, it has can have a next trust tier option: to sub-ordinate their certificates to one of the big main ones. Equivalent: Your drivers license card that can be emitted by a local (county) authority but that authority complies with government rules. Because of that, it will also end up as recognized by everyone. This is the second trust level. An example of such company is VMWare that currently is not a CA but may become one in the future.

Finally, a self-signed SSL Certificate is an identity certificate that is signed by the same entity whose identity it certifies. The problem here is that it will not be recognized by default by anyone. It's like you being a person print your own drivers permit. Well, this will be not recognized by anyone. Now if in your private area you and your neighbors accept to use your own private drivers permit and move around in your own areas, there is no problem there. All neighbors can accept each other's self-emitted drivers permits. But if you go in any public place with them, the permits will not be accepted.

Overmind
  • 8,829
  • 3
  • 19
  • 28