Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I assume the certs are delivered over ssl from the CA to the client requesting the webserver, is that the case?


When you hit an SSL site, the remote server (the one you're browsing) presents a number of certificates. One for the actual secure domain, and one or more for the CA that signed that certificate (sometimes more than one because the CA's have intermediate keys. A key which signed a key which signed... etc)

The CA itself is not a party to this exchange, they only provide the end product - a signed certificate.

If you trust the CA (in your browser config), you also trust by extension every certificate that CA has ever signed (barring revocation lists).


Thanks for the explanation, I was under the mistaken impression that communication took place between the CA every time a server was visited.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: