As mentioned in the previous section, in order for digital certificates to be effective, the users of the network must have a high level of trust in the certificate. But what happens if someone doesn't trust the Certification Authority (CA)—perhaps the person has never heard of the CA before, and therefore is uncomfortable with accepting the certificate at face value? This problem is addressed in the certifying process, by something called the hierarchy of trust.
The concept of hierarchy of trust is simply that the process must begin with some certifying authority that everyone agrees is trustworthy. Perhaps this could be some agency of the federal government, such as the U.S. Postal Service, or some company that everyone agrees is trustworthy. This ultimate authority, whatever it is, is called the root authority. The root authority can then certify other, first-tier CAs, who can then certify second tier CAs, as shown in the following illustration.
When a certificate that has been issued by a tier 1 or tier 2 CA is received by someone on the network, that person can verify that the CA that signed the certificate has been certified by the level above it, and that the one at that level has been certified by the one above it, until it is determined that a chain of trust exists between the lower level CA and the root CA. For example, in the preceding diagram, it could be verified that CA #4 was certified by CA #1 and that CA #1 was certified by the root CA. This means that when a certificate from a lower-level CA is passed along with the encrypted message, all of the certificates in its chain of trust up to the root should be passed along with it.
It should be noted that the diagram and description just presented is conceptual, and that in the real world the situation is rapidly evolving, with no single root authority having been established or accepted. It appears that, for the short term, it may be that islands of authority will develop as shown in the following illustration.
As time passes, it is possible that the root islands (Root 1 and Root 2 in the illustration) could become Tier 1 CAs to a single root CA. At that point, the situation would again have a single root authority, as shown in the illustration earlier in this topic. It remains to be seen just how the actual picture is going to evolve.