Certificate Authority Fact Sheet
Thawte's recent change of implementing an intermediate certificate authority has caused some bit of confusion. Hopefully this will alleviate any remaining uncertainty.
Thawte, the certificate authority (CA) that IU contracted with from 2006-2010 (prior to the InCommon Certificate Service) to provide SSL certificates, recently implemented a change to the way that they sign certificates. Rather than sign all certificates directly using their root certificate, they implemented an intermediate certificate authority.
Note: Most CAs, including Comodo (the contracted CA for the InCommon Certificate Service), were already utilizing intermediate certificate authorities. This affords a CA the ability to apply much stricter security measures to protect their root certificate.
How did the change affect servers and services at IU?
Since Thawte is now signing SSL certificates using their intermediate CA, rather than with their root CA directly, all servers that utilize SSL/TLS must recognize the validity of the intermediate CA.
A user attempting to connect via SSL/TLS will receive an error if the service administrator did not make the appropriate changes on the server. This will impact any service utilizing SSL/TLS, not just web servers.
Service owners should consult their contracted vendors as appropriate for assistance with such changes.
This change did not occur because IU switched certificate authorities.
IU, through the UISO, partnered with Thawte since 2006 to provide discounted SSL certificates. Thawte implemented this change in June or July for security purposes; it was not a cost-saving measure.
Most major CAs have adopted this practice
A certificate authority is built on trust.
As such, they must not only vet the certificates they issue/sign, they must apply an extraordinary amount of security to their signing certificates. Were one of these certificates compromised, an attacker would be able to forge and issue certificates from reputable services, such as those from higher education, companies, banks, government, and more.
Implementing an intermediate CA means that the root CA can be more he