Introduction

One of the major challenges in our interconnected world is this: how can you verify the identity of people you ve never seen before so that you can do business with them, and how can you transmit confidential information over a public network like the Internet? While there are any number of solutions to both of these problems, one that has become widely used due to its relatively low cost and ease of deployment is the public key infrastructure, or PKI. You ll see PKIs implemented for any number of reasons, but the most common application is for e-commerce transactions. PKI provides a way for a seller to verify the identity of a buyer, and for customers to be sure that the company they re transmitting their credit card information to is really who they think it is.

To accomplish this, you have a number of certificate authorities, or CAs, who act as impartial third parties to establish and verify the identities of organizations doing business on the Internet. You see, the entire PKI system is dependent on the concept of trust. The e-commerce vendor trusts a third-party CA (such as VeriSign) to issue a PKI certificate for its use. The consumer, in turn, trusts that the certificate issued by VeriSign is genuine; that is, that VeriSign has done some form of due diligence to verify that they are issuing a certificate to a legitimate company. Because consumers trust VeriSign and the PKI certificate issued to the e-commerce vendor by