Page 443 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 443
GoDaddy
DigiCert
Secom
Entrust
Actalis
Trustwave
Nothing is preventing any organization from simply setting up shop as
a CA. However, the certificates issued by a CA are only as good as the
trust placed in the CA that issued them. This is an important item to
consider when receiving a digital certificate from a third party. If you
don’t recognize and trust the name of the CA that issued the
certificate, you shouldn’t place any trust in the certificate at all. PKI
relies on a hierarchy of trust relationships. If you configure your
browser to trust a CA, it will automatically trust all of the digital
certificates issued by that CA. Browser developers preconfigure
browsers to trust the major CAs to avoid placing this burden on users.
Registration authorities (RAs) assist CAs with the burden of verifying
users’ identities prior to issuing digital certificates. They do not
directly issue certificates themselves, but they play an important role
in the certification process, allowing CAs to remotely validate user
identities.
Certificate Path Validation
You may have heard of certificate path validation (CPV) in your
studies of certificate authorities. CPV means that each certificate in
a certificate path from the original start or root of trust down to the
server or client in question is valid and legitimate. CPV can be
important if you need to verify that every link between “trusted”
endpoints remains current, valid, and trustworthy.
This issue arises from time to time when intermediary systems’
certificates expire or are replaced; this can break the chain of trust
