So I’ve written about different ciphers recently such as: RC4, RC5, RC6, DES, 3DES, IDEA and AES. And I’ve explained the use of public keys and private keys during the encryption/decryption process.

When using public keys the sender can make available their public keys to their intended receivers through various means like email, fax, etc. But how does a receiver know that the public key which they have received is indeed from the purported sender? How can we be really sure that the owner of a public key is who they say they are?

One method is to mutually rely on a trusted third party to verify the true ownership of a public key. Such a trusted third party is called a Certificate Authority (CA).

Certification Authorities are trusted entities that safely distribute public keys and sign public key certificates. A certificate always contains three pieces of information: a name, a public key and a digital signature computed over the name and the public key. The certificate associates a name with a public key. But how do you obtain a certificate?

Let’s suppose that Paul wants to send his public key to Rhonda so that he can later send a secure email to Rhonda which she will decrypt using Paul’s public key. Both Paul and Rhonda must trust a third party which we’ll call Tim, the CA. Paul requests that Tim, the CA, sign Paul’s certificate that contains Paul’s public key. Tim signs the certificate and now Paul can safely send it to Rhonda. Upon receiving the certificate Rhonda will validate it by checking the digital signature with a copy of Tim’s public key.

You’re probably asking “…but how did Rhonda get Tim’s public key?” As it turns out very few public keys are actually exchanged thanks to the existence of Certificate Authorities. It is the public keys of Certificate Authorities that are manually exchanged by email, fax, etc.

Some well known Certificate Authorities include VeriSign and Thawte. Thawte is owned and operated by VeriSign, Inc (Nasdaq: VRSN). Following acquisition in 2000, thawte continues to prosper as a distinct brand within the VeriSign stable.