Các giao thức ssl, như công nghệ nào, có những hạn chế của nó. Và bởi vì ssl cung cấp dịch vụ bảo mật, nó là đặc biệt quan trọng để hiểu giới hạn của nó. Sau khi tất cả, một cảm giác sai về bảo mật có thể tồi tệ hơn so với không có an ninh. Những hạn chế của mùa thu ssl thường thành ba loại. | Basic Cryptography 33 Figure 2-10 Netscape Navigator recognizes many certificate authorities. Certificate Hierarchies Sometimes it becomes difficult for a certificate authority to effectively track all the parties whose identities it certifies. Especially as the number of certificates grows a single authority may become an unacceptable bottleneck in the certification process. Fortunately public key certificates support the concept of certificate hierarchies which alleviate the scalability problems of a single monolithic authority. With a hierarchy in place a certificate authority does not have to certify all identities itself. Instead it designates one or more subsidiary authorities. These authorities may in turn designate their own subsidiaries the hierarchy continuing until an authority actually certifies end users. Figure 2-11 illustrates a simple three-level hierarchy one that might occur within a large corporation. As the figure shows the ACME Corporation has a master certificate authority and two subordinate authorities one for Human Resources and another for Research and Development. The subordinate authorities are responsible for entities within their domains. 34 SSL TLS Essentials Securing the Web Figure 2-11 Certificate hierarchies divide responsibility for certificates. A particularly powerful feature of certificate hierarchies is that they do not require that all parties automatically trust all the certificate authorities. Indeed the only authority whose trust must be established throughout the enterprise is the master certificate authority. Because of its position in the hierarchy this authority is generally known as the root authority. To see this process in action consider what happens when a client in the r d department needs to verify the identity of the Benefits server. The server presents its certificate issued and signed by the hr department s authority. The r d client does not trust the hr authority however so it asks to see that .