In a PublicKeyInfrastructure which relies upon a HierarchicalTrust model, the certificate authority is that entity which is recognized (at best) as being trusted to traceably pair identities with their keys.
Certificates are authenticators--they are used by third parties in confirming the identity of the agent proferring the certificate. In MeatSpace, things driver's licenses, passports, and other forms of photo ID are often used as certificates. In these cases, the comparison between the photo and the person weilding the certificate is a central part of the authentication mechanism.
Online, the use of AsymmetricKeypairs largely replaces the central role filled by photos in MeatSpace authentication. The mechanisms of asymmetric public key cryptography provide a difficult-to-forge relationship between the person associated with the certificate and the certificate itself.
In current (2001) practical terms, several widely-used web browsers are distributed with certificates already installed from certificate authorites--these certificates are root certificates. Any AuthenticationCertificate presented by a web server at the initiation of a web session which certificate can be verified by transitive trust relationships back to an already-installed root certificate is accepted as valid.
For any certificate which cannot be traced back to an already-installed root certificate from a certificate authority, the browser might reject the certificate, or might prompt the user as to whether the user wants to accept the certificate.
As part of this dialogue, the user may be presented with a fingerprint to assist the user in deciding whether to accept the certificate.
Real world examples of trusted authorities are manifold, including:
- Motor vehicle departments, issuing drivers licenses, permits, and identity cards.
- County or city registrars, issuing birth and death certificates, voting cards, etc.
- Immigration control bureau, issuing passports, emigration papers, etc.
- Other private or public authorities issuing licenses, diplomas, training certificates, or authorizations of merit, action, or activity.
- In the digital world, companies such as Thawte and VeriSign issue are issuers of DigitalCertificates, which are touted as ensuring Web security. There are in fact significant issues with this model, as described by BruceSchneier.
-- KarstenSelf