A necessary part of the
PKI model. From now on, in short -
CA.
A trusted company which signs third-party (a.k.a. customers) digital certificates, thus certifying on their authenticity and trust level. Before you get your certificate signed (for a fee, of course - this is similar to a notary notarizing your documents), you'll be required to present some official documents -- a procedure which reduces the risk that the third-party (you) is a fraud.
When an e-commerce site presents your web browser with its X509 digital certificate (a thing which happens when you connect to an HTTPS site), your browser will?
- See the certificate's "Issuer", which the certificate claims to have been issued by.
- Open its internal database of trusted major CAs (e.g. Verisign, Thawte), and find the one whose name corresponds to the "Issuer".
- Verify that the site's certificate was indeed signed by the CA (using the CA's certificate, and a bit of mathematics).
If the certificate ends up untrusted, the browser will alert you. This has created a big market of e-commerce sites which wish to be trusted by their customers, and vested a lot of control in the hands of popular browser vendors (Netscape and Microsoft). Since the browser vendors ultimately decide which CA certificates get shipped with their software, they decide which CA companies can do business. A CA whose certificate isn't trusted by the major browsers is worthless.
Technically, the CA is the root of the PKI trust tree (thus, the ultimate authority of trust), and its certificate is also called a "Root Certificate". Since there is no ultimate truth in our corrupted world, many commercial CAs sprung. The thick line distinguishing a real authority and a certificate every kid can generate (with OpenSSL or similar) -- is the embedding into the browsers. The web browsers' databases are static (their contents determined by whatever the vendor has put in them when the browser was shipped), and the winners are those which could get their certificates into those databases on time, prior to major browser releases. (This somehow reminds the situation with root name servers monopoly, in the center of which -- quite curiously -- Verisign stands now too.)
At the time of this writeup, Verisign (after acquiring Thawte) became world's monopoly on digital certification.