Hierarchy of Trust

Windows Mobile 6.5
A version of this page is also available for
4/8/2010

For digital certificates to be effective, users of certificates must have a high level of trust in them. There are cases where a user does not trust the issuer of a certificate. This could happen if the certificate user has never heard of the CA and therefore is uncomfortable with accepting a certificate from that issuer at face value. This problem is addressed in the certifying process by a hierarchy of trust.

The concept of hierarchy of trust is that the trust process must begin with at least one certifying authority accepted as trustworthy. Perhaps this could be some agency of the federal government, such as the postal service, or some company that everyone agrees is trustworthy. Such an ultimate authority, whatever it is, is called the root authority. The root authority can then certify other CAs, called first-tier CAs, who can then issue certificates and also certify additional or second tier CAs. The following illustration shows the hierarchy of trust.

Aa919745.42eb73bd-92be-4fe6-a1ac-903cd3601023(en-us,MSDN.10).gif

The identity of the CA issuing a certificate is part of a certificate. That CA is called the certificate's issuer. When a certificate's issuer is a tier 1 or tier 2 CA, the receiver of that certificate can determine whether the certificate's issuer is certified as a valid CA by a CA at a level above it, and that the higher level CA is certified as a valid CA by still a higher level CA until it is determined that a chain of trust exists between the lowest level CA and the root CA.

For example, in the preceding diagram, it can be verified that CA #4 was certified as a CA by CA #1, and that CA #1 was certified as a CA by the root CA. Thus when a certificate from a lower-level CA is passed along with the encrypted message, information about all of the certificates in its chain of trust up to the root is passed along with it.

The diagram and description just presented is conceptual. In the real world, the certification authority situation is evolving and no single root authority has been established or accepted. The following illustration shows the islands of trust hierarchy.

Aa919745.331831eb-aa54-48f6-9fed-355a605dcbdf(en-us,MSDN.10).gif

In time, the root islands, Root 1 and Root 2 in the illustration, could become Tier 1 CAs to a single root CA. At that point, the situation would again have a single root authority. It remains to be seen just how the actual picture will evolve.

Community Additions

Show: