Ok, I think I know what is going on here...
First in plain English. Why do people trust passports? Because passports are authorized by governments. Imagine if I create a passport, sign it and say my buddy John authorized it! Could I get through the border? Not a chance because the border authorities have no idea who John is and whether or not he can be trusted.
When you use SSL you are using a combination of PKI, and symetric keys. The PKI is used for the initial secret key
exchange. The problem though is how do you know that an SSL certificate is what it is supposed to be? The answer is that you don't and the SSL certificate needs to be signed. Signing the certificate means that the client and the server have contacted a single entity. The single entity is called a trusted authority. Thus when your browser contacts a server and is presented with an SSL certificate signed by the authority your browser will accept the signature of the authority because you have the verification information from the authority.
Where things get funny is if your browser does not have the signature of the signing authority. This is akin to being presented with a passport signed by John! Your browser alerts you and says, wait one minute here! Therefore to avoid the problems you can do two things. Ask the supplier of the certificate to get it properly signed. Or get a verification certificate from the authority and add it to your browser.
Ok?
[ February 22, 2006: Message edited by: Christian Gross ]
