certification hierarchy

A tree-structured (loop-free) topology of relationships between CAs and the entities to whom the CAs issue public-key certificates. (See: hierarchical PKI, hierarchy management.)

Tutorial: In this structure, one CA is the top CA, the highest level of the hierarchy. (See: root, top CA.) The top CA may issue public-key certificates to one or more additional CAs that form the second-highest level. Each of these CAs may issue certificates to more CAs at the third-highest level, and so on. The CAs at the second-lowest level issue certificates only to non-CA entities that form the lowest level (see: end entity). Thus, all certification paths begin at the top CA and descend through zero or more levels of other CAs. All certificate users base path validations on the top CA's public key.

A certification hierarchy for PEM has three levels of CAs [R1422]:

• The highest level is the "Internet Policy Registration Authority".
• A CA at the second-highest level is a "policy certification authority".
• A CA at the third-highest level is a "certification authority".

A certification hierarchy for MISSI has three or four levels of CAs:

• A CA at the highest level, the top CA, is a "policy approving authority".

• A CA at the second-highest level is a "policy creation authority".

• A CA at the third-highest level is a local authority called a "certification authority".

• A CA at the fourth-highest (optional) level is a "subordinate certification authority".

A certification hierarchy for SET has three or four levels of CAs:

• The highest level is a "SET root CA".
• A CA at the second-highest level is a "brand certification authority".
• A CA at the third-highest (optional) level is a "geopolitical certification authority".
• A CA at the fourth-highest level is a "cardholder CA", a "merchant CA", or a "payment gateway CA".