I have misconceptions regarding CA (Certificate Authority) certificates. No matter how many things I read, it is still not fully clear.
Let's take an example, Bob accesses a website. In order for trusted and encrypted communication to happen between Bob wand the website, the website first issues Bob with a digital certificate, which contains a public key and other information.
Bob will then use this public key to encrypt the data in which he will send to the website, and the website will use the corresponding private key to decrypt it. (Just considering one-way communication here)
A man in the middle could pretend to be the website and supply Bob with what he believes is a valid digital certificate and then things go horribly wrong.
If the website uses a CA for this problem to validate or generate its own certificate, which one of my statements is correct, or are both partly correct? :
1 ) Bob simply compares the digital certificate received from the website with the one from the CA, so no decryption is performed, just comparison? In this case, Is every single CA certificate in the world stored on Bob's local computer to compare with? How does this happen.
2) Bob just has a special CA certificate which is used to decrypt certificates from sites. The CA has previously encrypted the digital certificate of the website which Bob wants to use with the CA private key. Bob then gets the certificate from the site, decrypts it with the CA's public key from the CA's certificate. If the certificate can't be decrypted, it's obvious that the CA did not encrypt it and so invalid.
Thanks in advance.