Certificate Authority (CA)
A Certificate Authority is a trusted organization that issues digital certificates and digitally signs them to verify the identity of the certificate holder. It is the root of trust in PKI — its signature on a certificate says 'I have verified this identity, and I bind this public key to it.'
# WHAT TEAMS RUN INTO
- —
CA compromise is catastrophic. If a Certificate Authority is compromised, attackers can issue certificates for any domain, impersonate any website, and conduct invisible man-in-the-middle attacks.
- —
Users don't control which CAs they trust. Operating systems and browsers ship with dozens of trusted CAs from all over the world. Any of them can issue certificates, and most users have no idea who they trust.
- —
CA accountability is weak. When a CA issues a bad certificate, the recourse is limited. The certificate can be revoked, but revocation checking is unreliable, and the damage is already done.
# WHY IT MATTERS
Certificate Authorities are the guardians of encrypted communication. When a CA is trusted, its certificates become trusted. But CAs have been compromised, have issued bad certificates, and have sometimes been forced by governments to issue fake certificates. The CA system works until it doesn't, and when it fails, failure is invisible to users.