| I stand corrected! My original cursory understanding of HTTPS -- was that it required SSL/TLS to make it work, which in turn required CA's issuing certificates and the validation of those certificates to make that work... Now, all of the above is true -- but the subtle distinction that I realized after reading your comment (and performing more subsequent research on the matter) -- was that everything above is (apparently -- based on the best knowledge from the research I've done at this point in time!) based on local Root Certificates whose data is contained in local files (i.e., no need to reach out to a CA server for validation) which act as the "Trust Anchor" for all other SSL/TLS certificates... I.e., new certificates handed to a user's browser by a new website -- do not need to be validated by making an Internet connection to the CA and asking that the CA validate them -- instead, they are validated using cryptographic hashing techniques against the user's local CA Root Certificates... These CA Root Certificates are apparently X.509 certificates -- or follow that format: https://en.wikipedia.org/wiki/X.509 Now, that's a good thing! It means that there's no dependency (one less point of possible failure) that a CA be up and running -- for all of those HTTPS/TLS/SSL transactions to work... So, you are correct -- and I stand corrected! |