Hi, I'm reading about PKI.... what prevents bogus devices from requesting a valid CA certificate - how does the CA verify that the requestor is valid when deciding whether to issue an x.509 certificate to a device?
Thanks, Lisa G
In answer to your question it is is to do with how the certificate has been validated as to how much trust you put in it eg.
I can apply for a personal verisign certificate using just my e-mail address as identity. I will get a certificate but when using my certfiate people should be aware of how little i did to prove who i was.
For other certificates the company or individual may provide passport/driving license etc. details which give the certificate far more trust.
Obviously this is with a public CA such as Verisign. If you set up your own CA within your company then the CA administrator has a lot more control over who to issue a certificate to.