Can we see the blacklist that a browser, has for root certs? Or do you think that is intentionally hidden from end users?

@@DataVids I am not that familiar with the internal workings of all browsers. Chrome contains a CRLset that is a list of banned sites. It can’t be viewed directly but can be dumped with public code. (dev.chromium.org/Home/chromium-security/crlsets).

@@davecrabbe4579 thank you!

Ha, I was about to comment that!. BTW in my key chain it is not. So at some point Apple also removed it.

Indeed!

Thanks.. older video, but its all built on the same basic concept, so far.

Thanks..

yeah.. I picked that up after it was posted.. I'm still learning too :)

Glad you enjoyed it.. thanks

super! Thanks for the comment.

One of the best and crystal clear explanation I have ever seen !!

This is not how it works nowadays. If you want information about that part, look for diffie hellmann key exchange.

Yeah the latest version of SSL was deprecated in 2015

The problem is if the private key ever gets compromised at some point in the entire future of humanity, all past communication becomes compromised. Not good. Private key should only be used for identification and after a breach simply be replaced without further damage.

grin.. I'm older and I go slow these days..

Some go into too much detail and you never grasp the overall concepts.

Thanks for the comments. The actually technical implementation has so many more details. I tried to distill it into the core concepts.

Hi , I thought to encrypt the data we only use public key and to decrypt data we only use private key ? Could you validate again? I need to clarify this point?

In PKI, either the public OR the private key encrypts.. the OTHER key will decrypt.. This allows different applications of PKI.. such as digital signatures vs SSL communication. So in SSL, the PRIVATE key of the vendor you are attached to encrypts some information and I (the client) can decrypt it with that vendor's public key. If I want to send something secure back to the vendor, I can encrypt it with the Vendor's public key and they are the only one who can decrypt it with their vendor private key.

There are not that many intermediate CAs in a chain. Generally there is one intermediate cert and then the root CA. NSCC would send its cert and all other public certs needed to validate its certificate. They are not requested individually. I used a Sketching program from Adobe that I don’t believe they still provide.

@@davecrabbe4579 Thank you :)

Glad you enjoyed.. With all the complete details, it is a very complex topic. My attempt was to break it down into only the necessary components so that people understand how the basic principle works.

No, you are misunderstanding the information here. Here, Google is an ICA and as such, no client has Google's Public key in their certificate store. As an organization, Google must obtain a certificate from a known and trusted CA (GeoTrust). Thus, GeoTrust creates a cert for Google and signs it with their own private key. You are right, NO ONE must see the private key of another. This cert is sent to Google and they distribute this cert whenever Google issues a Cert. In the case shown, Google is issuing an SSL cert and encrypts the hash with their (Google's private key). The client would not have Google's public key and so could not decrypt the hash. This is why the Google cert (signed by GeoTrust) must be sent with the SSL cert. Every client has access to GeoTrust's public key since they are a well known CA. They can validate Google's cert and get Google's public key and they use this key to validate the SSL cert.

@@davecrabbe4579 Ah now I get it! Thanks! 😊

Either key can be used to encrypt. But the *OTHER* key must be used to decrypt. Which key is used to encrypt depends on the application (digital signatures, encryption certs, etc). However, the private key is *ONLY* known to the person issued. It must never be distributed.

14:27

LOL - I was just about to post this exact same observation.

lmao

hehe small mistake but we got the point....

If Microsoft didn't revoke CNNIC, then it may be reasonable to believe that Apple didn't either. If they didn't, then Safari would still ship with CNNIC as a trusted root and would therefore be installed on his computer.

There are some applications where the private key encrypts and some applications where the public key encrypts.. If you want to send something private to a friend then you use their public key to encrypt and they can decrypt with their private key.. If I want to “digitally sign” a document, I encrypt with my private key and anyone can get my public key to decrypt.. Since only my public key can decrypt it, it must have come from me. In all cases, the private key is kept secret with the entity that created the private/public key pair.

@@davecrabbe4579 noted thank you very much

@MetaTreatment I want to send a message to John and have him validate it comes from me. I write the message in plain text. I add my signature and then encrypt just my signature with my private key.. I then encrypt the message using John’s public key.. John gets the message.. only he can decrypt the entire message with his private key.. He then uses my Public key (which I personally send him .. or it could be posted on my personal web site.. ) He uses my public key to decrypt the signature .. since he knows he has my public key.. he can validate that I sent the message. No one but John can decrypt the message. Most email clients support all this.. you can play around with it.

@@davecrabbe4579 I have never heard of a case where public keys are used to decrypt. This breaks the fundamentals. Rather I can see where encrypting using the public key would match the encryption of a hash. So if you know the checksum of some document you could then use the public key to encrypt that checksum and then check that encrypted checksum against the encrypted checksum sent to you. This solution makes more sense to me.

@@osirioncomputing8521 Used for Digital Signatures. When digitally signing something, you encrypt the signature part with your private key. Since everyone has your public key, they can decrypt the signature.. Since only my private key can be decrypted by my public key, you know that info came from me.

The pinned post explains that.

If the private key is compromised all certificates created with that private key are compromised. If the private key of a ROOT authority is compromised there is a way to invalidate all certificates issued from that ROOT authority. I believe all browsers check some central repository for a list of ROOT authorities that have been compromised and will not process a certificate if the issuer is on that 'black' list.

I missed adding some info here. In the top box where is has "Google CA" it should be "Google ICA". GeoTrust is the root CA. Google ICA is an intermediate CA that issues SSL on behalf of GeoTrust. NSCC does not go to GeoTrust to get an SSL cert, it only needs to go to Google ICA. Google ICA issues the SSL Cert. Since Google ICA is not a root CA, no one has the Google ICA certificate stored in their browsers or Operating System. Therefore Google ICA needs to send its public certificate along with the SSL certificate and both certs are installed in the NSCC web server. When a client connects to NSCC, both the Google ICA and the SSL cert are sent to the client. The client first validates the Google ICA cert because this cert is signed by GeoTrust and all clients have the GeoTrust CA public cert in their OS or browser. Now the ICA is validated, the client uses the public key in the ICA cert to validate the SSL certificate, verifying it comes from NSCC. The client now trusts NSCC public key contained in its SSL cert. So there is one Root CA (GeoTrust) one ICA (Google) and then an SSL Cert for NSCC (this is not consided an intermediate cert.)

Clear! Appreciate that. Thanks a ton!

grin.. you know too much.. I purposely did not want to get into that level of detail as many readers who are just learning this for the first time might not get a good overview of the concept.