2

Trust anchors and (root) certificates authorities are often used interchangeably and it's easy to think that they are the same thing. The answer in Can an intermediate CA be trusted like a self-signed root CA? contains some nice discussions about the difference but I was hoping that it could be further explained and nuanced.

Do they mean the same thing today? Do they have a different history? Is trust anchor a much broader expression that involves root CA's but that can be so much more?

fast-reflexes
  • 173
  • 4

2 Answers2

1

Basically they are looking at a similar thing from 2 different perspectives.

  • Trust anchor: This is the place where you start trusting another entity (e.a. A trust boundary)
  • Certificate Authority: A Entity (that you can trust) that issues certificates for others to trust

So a trust anchor is looking at the place we start trusting others…

And a Certificate Authority is an entity that acts as such a trust anchor for Certificates.

Maybe an example would help:

Let’s say you are walking in a shopping area and a police officer comes towards you and tells you to run track the way you came…

Now, how can we trust this is a real police officer? Is it the badge with the name and number on it? (Trust anchor)

Or is it that the officer works for the state (Certificate authority)

LvB
  • 8,336
  • 1
  • 27
  • 43
  • .. and in the world of public key infrastructure, are the two terms usually used interchangeably or are they very connected to different contexts? I have sort of gotten the impression by reading between the lines that this might be the case (not sure) so that's why I ask :) I'm probably wrong! – fast-reflexes Feb 11 '22 at 18:04
  • They are like 2 sides of the same coin. If your just talking about the coin there interchangeable. If looking at a specific side there different things. – LvB Feb 11 '22 at 21:05
  • Thank you for your answer! I will leave the question open for a bit as I'm curious about answers that are either more technical or that discusses the nuances from a historical perspective and / or from a standards perspective (x509 etc...) – fast-reflexes Feb 12 '22 at 12:41
0

The short answer is no they are different but people often do treat them the same.

First, I need to make a distinction between the company (the certificate authority) and the instrument (public certificate) that is used in a chain of trust. (see definition later)

Certificate Authority (CA) - A company and software that produces certificates for others to use. CA's generate a public key certificate and a private key for use on the web, see also Wikipedia's definition.

A certificate authority can have one or more certificates that they use for different purposes.

Google, for example, has a Root CA as well as an Intermediate CA as is found in the cert at www.google.com:

GTS Root 1
    + GTS CA 1C3
        + *.google.com

In this example, the final cert *.google.com was signed by an intermediate CA GTS CA 1C3 which was signed by the root CA GTS Root 1.

So to answer your question:

Are Trust anchors and (root) certificates authorities the same thing?

Given that people often say "Root CA" to mean the public certificate used to form the chain of trust in a certificate chain, then they are the same thing. In the example, the trust anchor GTS Root 1 could also be called the Root CA.

But I would not ever say the trust anchor GTS Root 1 is the Root Certificate Authority because spelling it out seems to indicate the company not the certificate.

The details of this answer

When trying to write this up I came across the following that I found helpful, so others might as well.

Some definitions are in order

Trust Anchor - refers to the top most certificate in a certificate chain of trust. A certificate is signed by a CA or it is a Root CA which is self signed. Also see Wikipedia's Trust anchor.

Chain of Trust - a chain of trust is a sequence of public certificates starting with the end certificate and going to the top of the chain of trust (called the Trust Anchor).

Self Signed Certificate - A certificate who's issuer is the same as the name of the cert. Technically, the issuer is the same as the subject. Root Certificates are by definition self signed.

It's important to note that developers often create self-signed certificates for use in development which are not considered Root Certs.

Root Certificate - a self signed cert where the issuer matches the subject. It's considered a root because another Intermediate certs refers to it. And it's placed in a Trust Store (see below).

Intermediate Certificate - if a certificate is signed by another certificate (higher in the chain of trust), it is called an Intermediate Certificate.

Trusted Root Certificate Store (aka TrustStore in Java)- refers to a container that holds a list of trusted certificates. These are either intermediate certificates or root certificates.

A trust anchor refer to the top-most certificate in a certificate chain. The top-most certificate can (and often is) a certificate in a root store but not always (in a developers self signed cert).

Wikipedia describes the Chain of Trust with a diagram that shows this how the subject and issuer work together to form the chain of trust.

enter image description here

By Fanyangxi - https://en.wikipedia.org/wiki/File:Chain_Of_Trust.svg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=126523095

PatS
  • 101
  • 1