Purpose of certificates signed and trusted by CA

Question

Another newbie question but I just don't get the purpose of certificates signed and trusted by CA. We already have public/private keys, hash functions to sign/encrypt messages so why do we need certificates?

Answer 1

— Hello, I'm Facebook. Trust me, now type your Facebook password.

Ok, so you have the public key of a website. And that website declares that it is Facebook. How do you know that this is really “the” Facebook, and not some Facebook impersonator?

When your browser visits https://www.facebook.com/, it retrieves not just a public key, but a public key certificate. Rendered in English, that certificate says roughly (in a way that is cryptographically verified):

1. I call myself facebook.com, and this is my website.
2. Verisign has verified that I have some right to the name facebook.com.

Verisign is a certificate authority. Its role is to ascertain that the public key is really Facebook's. Facebook obtained this certificate by proving that they had access to the private key and showing some kind of proof of identity to Verisign.

Your browser or your operating system is preloaded with a short (a couple of hundreds) list of certificate authorities. It trusts these authorities to verify the identity of websites. Your browser could not realistically be preloaded with the ever-changing millions-strong list of websites. Nor would it be feasible to verify out of bands (how, anyway?) the identity of each and every website you access over HTTPS.

Certificate authorities are one of the ways to set up a public key infrastructure. There are a few parties (the CAs) that everybody knows; you get to know other people because CAs have given them identity papers. Identity papers, by the way, are a non-cryptographic form of web of trust: you trust that this guy over there is really John Smith because his government-issued passport says that he's John Smith.

The main alternative to CAs is a web of trust, where everybody knows a few other people, and you try to establish a path from yourself through who you know to who you want to talk to. It doesn't work well on the web because people typically want to access websites that they just discovered via Google, they don't want to spend a lot of time and energy verifying some mumbo-jumbo certificate.

Note that the description above represents the theory. In practice, as always, things can go wrong, especially CAs botching the verification. But most of the time — enough of the time to be useful — the CAs serve as roots of trust for website identities.

Follow-up reading: Certificate authorities for a PKI