Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As long as you're careful to really keep your private keys private; the root of trust gets shifted from a hierarchy of corporations to individuals you know and (personally) trust. I like this "real trust" model a lot more than the current one of a central authority and "being told who to trust", and I think all the advocates of "if you want to use HTTPS you should buy a cert from a CA" are missing this point.


I assume the certs are delivered over ssl from the CA to the client requesting the webserver, is that the case?


When you hit an SSL site, the remote server (the one you're browsing) presents a number of certificates. One for the actual secure domain, and one or more for the CA that signed that certificate (sometimes more than one because the CA's have intermediate keys. A key which signed a key which signed... etc)

The CA itself is not a party to this exchange, they only provide the end product - a signed certificate.

If you trust the CA (in your browser config), you also trust by extension every certificate that CA has ever signed (barring revocation lists).


Thanks for the explanation, I was under the mistaken impression that communication took place between the CA every time a server was visited.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: