Changes

In the scheme used by Mozilla, certificates for entities such as web servers, or email users, or code developers are typically not self-signed but rather are signed by third parties (organizations or individuals) known as "Certification Authorities" or "CAs" for short. (CAs are in turn considered to be part of what is commonly referred to as a Public Key Infrastructure or PKI — although in fact it is possible to have a PKI that does not use CAs.) By signing the data in certificates CAs are assumed to be in some way vouching for the information contained in the certificate data.

For example, a certificate used for a secure web server normally contains the domain name used to connect to the web server, and by signing such a certificate a CA is assumed to be vouching for the fact that the entity operating the web server (the entity that controls the server's private key corresponding to the public key in the certificate) actually controls the domain name associated with the server. Similarly, a certificate used for secure email should contain the email address of the person or organization that controls the corresponding email account, with the CA signing the certificate assumed to have verified that that is the case, and a certificate used for a digitally signed applet (or other executable code) should contain the name of the developer or distributor of the applet (again, assumed to be verified by the CA).

Verifying a typical web server, or email user, or developer certificate then requires having the public key for the CA that signed the certificate. The CA's public key is itself distributed in the form of a certificate; this "CA certificate" is in turn digitally signed either by some other CA or by the CA itself (as a self-signed certificate). In the former case the CA is referred to as an "intermediate" CA; in the latter case the CA is referred to as a "root" CA, and its certificate is a "root CA certificate".

In general it is possible to have multiple root CAs; each root CA can then "issue" certificates directly for web servers, or email users, developers, etc., by digitally signing the data in those certificates, or can issue certificates to one or more intermediate CAs, which then issue certificates in turn.

Note that in theory CAs are not necessary in order to support cryptography-based functions like secure web browsing, etc., and in fact there are systems like PGP that do not use CAs in the sense defined above. (PGP uses a separate "web of trust" system in which PGP users sign each others' keys.) However the main cryptography-based functions in Mozilla — secure web browsing, and secure email, and digitally signed code objects — do assume the use of CAs, including root CAs.