“When we left our current topic last week, some niggling little
questions remained. We could come up with a number of examples, but
essentially it comes down to this one simple question: “How can
I trust the source of a public key?” All right, two questions.
The other is, “If we’re all sending signed and encrypted data, how
can I possibly verify every key on every web site or
keyserver?”
“Suppose you work for Megacorp InterUniversal Inc., and
corporate policy says that all company e-mail must now be signed
and encrypted for it to be accepted by the system. Lately, your
competitor, UltraCorp MultiDimensional, has been trying to finagle
information from employees via bogus e-mails. No problem; your
public keys are posted on a keyserver so anyone can send you
encrypted e-mail. The problem is that MegaCorp has 23,000 employees
and business contacts. Again, how can you possibly verify all those
signatures?”
“In essence, that’s the idea behind companies like VeriSign and
GlobalSign. They provide a certificate signing authority that
validates public keys. Whenever you visit a web site that runs a
secure web server (SSL), that server will present your browser with
a certificate generated by that site. Normally, you do not see this
exchange at all. That’s because Netscape (and Internet Explorer)
employ various top-level signatures from trusted certificate
authorities to basically say, “Yes, that’s a good signature. You
don’t need to bother the user with this one.” The question of trust
has already been answered for you.”