This is accomplished through the use of a certification authority (CA). CAs perform real-world due diligence to ensure credentials are only issued to actors who are whom they claim to be.
TODO: See if this is a top-down certificate authority, as in the HTTPS domain where browsers embed lists of trusted CAs.
DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.[1][2] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[3]
Dutch Certificate Authority gets hacked.