Tuesday, March 1, 2005 01:03 PM
There's nothing in particular to know it's "you". That's a different level of verification where the server will only speak to certified clients.
In the public sense, vendors such as amazon purchase certificates from certification vendors such as Veritas. Those large certification vendors already have their public keys in your browser. Certifates from amazon and others can then be confirmed to be truely authorized and you know the site you are dealing with. Since you have the certification vendor's public key you can verify the amazon certificate's signature along w/ their public key. That way if you want to another site, such as amazonia.com, their certificates wouldn't match correctly.
The actual communication between them relies on the same public key-private key encrpytion. You use their public key to encrypt information to send to them. In your information contains the public key they use to communicate back to you. That way, if anyone is listening on the port, it's doesn't matter. They would need someone's private key to listen to at least one part of the conversation.
SSL doesn't completely use public key/private key for the entire conversation. That would be too expensive. Your session creates a password that allows both sides to faster encrypt the communication then the higher cost of public key/private encryption/decryption.
Hope that helps. Some further topics include : certified email, signed documents.