I am currently programming a Certification Authority for a uni class, I am currently struggling with the concept of creating the certificates.
How does a CA usually decide if it should give a Certificate to an entity , is it enough to prove that the entity is the owner of a public key by signing a certificate-request with their private key?
If not how does a CA usually decide if the entity is trustworthy?
thanks,
There are different levels of trust associated with different types of certificate.
Basic SSL Certificates:
A basic SSL certificate for a website, for example, is often an automated process - which validates by sending a unique time-expired URL (or code that must be entered in an online form) an email addresses associated with the domains WHOIS record.
For Extended Validation:
For stronger verification (such as in the case of SSL 'Extended Validation', where you see a green address bar in modern browsers), it is common practice to establish the legitimacy of the owner by correlating multiple sources of information, such as a requesting a utility bill/certificate of incorporation/registered corporation details (e.g. Dun and Bradstreet/Companies House Registration (UK) or equivalent) and a domains whois information to make sure they all exactly match up with the same addresses and company name.
In the case of certificates for an individual a photocopy of drivers licence with a photograph or passport is often required.
It is common practice to also call back via an identified phone to confirm the order is legitimate. The legitimacy of the phone number is typically based on one in WHOIS information, or the number listed on a phone bill provided by a utility company.
The process for Extended Validation certificates is typically very similar if not identical to the process for Code Signing certificates (where the domain used as the email contact for the record is often taken as a domain you must be in control of the WHOIS information for).
It varies slightly from Registrar to Registrar and it can be a bit informal and ad-hoc sometimes (because some things that are easy for a small company to provide are difficult to get hold of in a large corporation, and vice versa so their tend to be multiple alternative methods accepted).