PKI 2: Certificate & Clients

Certificates are accepted if signed by a root CA. CA root certs are often encoded in the client software (IE, Netscape, Opera).
Certificates may also be self-signed or signed by an unknown CA. The user must exercise discretion in accepting or adding certificates.
Uses: SSL, S/MIME, Signed Software, IpSec/IPv6 (ISAKMP)
Failure points: Issuing CRL's and "user discretion"
Netcraft: 1.5 million servers run SSL, but only 60,000 have 3rd-party signed certificates

Certificates are accepted if signed by a root CA. CA root certs are often encoded in the client software (IE, Netscape, Opera).