A certification authority, or CA, holds a trusted position because the certificate that it issues binds the identity of a person or business to the public and private keys (asymmetric cryptography) that are used to secure most internet transactions.
When a business or person wants to use these technologies, they apply to a Certification Authority. The CA collects information about the person or business that it will certify. Depending on the intended use and therefore the level of security required, certain rules will be followed, called “certificate policies”. These rules may make it necessary to verify the applicant’s information before issuing the certificate. For example, when a business wants to offer products for sale on a secure web site, the CA will usually check to make sure that the applicant really has responsibility for the domain. However, this particular policy wouldn’t apply to someone who just wants to encrypt their personal e-mail.
The processes that use the public key, such as a web browser, check the certificate to make sure that it comes from a trusted CA and may also check to be sure that the information is consistent with the way that it’s being used.