What are signing and root (digital) certificates of authenticity?
When you view a secure web site, your browser uses cryptography to verify that a certificate authority (CA), usually a trusted independent third party such as Thawte or VeriSign, or alternatively the IU Certificate Authority, has registered and identified the server. The verification occurs through the use of SSL certificates. The CA cryptographically signs the web server's certificate with its own certificate. Since your browser trusts the CA, it will then also trust the web server.
The CA's certificate must also be signed. It may be self-signed, in which case it is known as a root certificate, or it may be a signing certificate signed by the root certificate. CAs will often sign their signing certificates with their root certificate, and then take the root certificate offline and store it in a physically secure facility. Their signing certificates will then be actively used to sign server certificates.
As long as your browser can either assign a level of trust to the CA's signing certificate, or follow the chain of trust back to the root by checking the cryptographic signatures of all the certificates in the chain, security and trust can be established.
This document was developed with support from the National Science Foundation (NSF) under Grant No. 0503697 to the University of Chicago and subcontracted to Indiana University. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.
Last modified on November 20, 2008.
