Public Key Infrastructure CHAPTER 11 159 users who trust the root CA. A trust anchor is an entity known to be trusted without requiring that it be trusted by going to another party, and therefore can be used as a base for trusting other parties. Subordinate CA: Any CA that is established after the root CA is a subor- dinate CA. Subordinate CAs gain their authority by requesting a certificate from either the root CA or a higher-level subordinate CA. Once the sub- ordinate CA receives the certificate, it can control CA policies and/or issue certificates itself, depending on the PKI structure and policies. There are two ways to view PKI trust models: single CA and hierarchical. In a single CA model , PKIs are very simplistic; only one CA is used within the infra- structure. Anyone who needs to trust parties vouched for by the CA is given the public key for the CA. That single CA is responsible for the interactions that ensue when parties request and seek to verify the information for a given certificate. Since there is nothing above the root CA, no one can vouch for its identity; it must create a self-signed certificate to vouch for itself. With a self-signed certifi- cate , both the certificate issuer and the certificate subject are exactly the same. Being the trust anchor, the root CA must make its own certificate available to all of the users (including subordinate CAs) that will ultimately be using that