Root Certificates and How They Are Used with Data Encryption
A Root Certificate is part of a PKI (Public Key Infrastructure) and is responsible for bearing the digital signature from a certification authority. Root certificates are public key certificates that can be self-signed or unsigned for the purpose of validating data by the sender to the recipient.
How Root Certificates Work
Root Certificates are created to verify the identification of a party that is creating data to be transmitted to an end user in a secure and encrypted format. It is a certificate that is issued by a certification authority that is certified by a higher certification authority. Certifications work like a chain of command with the root certificate acting as the root of the certificate tree.
For example, root certificates are included with the Windows Vista operating system. When a user accesses secure email or a secure website this creates contact with a new root certificate which goes through the chain of command for certification through the Windows certificate verification software. Once the root certificate is verified the system will download automatically. The user never sees the verification unless a security dialog warning reveals a problem and the download takes place behind the scenes.
Root Certificate Concerns
Although root certificates identify the author of the encrypted data or software applications such as Web browsers, there is no way to tell if there are any errors in the chain of command for verification. Additionally, it must be assumed that the publisher of the data or software application is trustworthy and that the root certificate is genuine and certified by a genuine authority. For this reason, the certification authorities who issue root certificates have to be careful of persons who use them for criminal purposes and other malicious acts.
As it stands at the moment the policies for revoking a root certificate that has been used to author malicious software remain in question. Additionally, to determine how trustworthy a root certificate is the user must scan a long and involved Certificate Practice Statement before they decide the root certificate is trustworthy. On the other hand, Microsoft assesses potential certification authorities before qualifying them and issuing a root certificate. This requires assessors that are trustworthy and have performed extensive audits on the certification authorities.
As a general rule certification authorities that have their own trusted root certificate already installed in their software is a positive indication that they are a credible organization with a long term relationship with the browser creators. If they are a chained root certificate provider chances are they are not as credible because chained providers do not use their own root certificates and they usually do not have any established relationship with a browser vendor.