Home > Public key infrastructure
In cryptography, a public key infrastructure (PKI) is an arrangement which provides for third-party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates.The term is used to mean both the certificate authority and related arrangements as well as, more broadly and somewhat confusingly, to mean use of public key algorithms in electronic communications. The later sense is erroneous since PKI methods are not required to use public key algorithms.
1 Purpose and function
PKI arrangements enable users to be authenticated to each other, and to use the information in identity certificates (i.e., each others' public keys) to encrypt and decrypt messages travelling to and fro. In general, a PKI consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures. A user may digitally sign messages using his private key, and another user can check that signature (using the public key contained in that user's certificate issued by a certificate authority within the PKI). This enables two (or more) communicating parties to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance.
2 Typical use
Most enterprise scale PKI systems rely on certificate chains to establish a party's identity, as a certificate may have been issued by a certificate authority computer whose 'legitimacy' is established for such purposes by a certificate issued by a higher-level certificate authority, and so on. This produces a certificate hierarchy composed of, at a minimum, several computers, often more than one organization, and often assorted interoperating software packages from several sources. Standards are critical to PKI operation, and public standards are critical to PKIs intended for extensive operation. Much of the standardization in this area is done by the IETF PKIX workgroup.
Enterprise PKI systems are often closely tied to an enterprise's directoryThis article is about the computing term. The Directory was also a government in revolutionary France from 1795 to 1799. In computing, a directory catalog or folder is an entity in a file system which contains a group of files and other directories. A typ scheme, in which each employee's public key is often stored (embedded in a certificate), together with other personal details (phone number, email address, location, department, ...). Today's leading directory technology is LDAP and in fact, the most common certificate format ( X.509In cryptography, X. 509 is an ITU-T standard for public key infrastructure (PKI). 509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm. History and usage X. 509 was initially issue) stems from its use in LDAP's predecessor, the X.500500 is the set of ITU-T computer networking standards covering electronic directory services such as white pages, Knowbot and whois. 500 was jointly developed with ISO as part of the Open Systems Interconnect suite of protocols, in order to support the re directory schema.
3 An alternative
An alternative approach to the problem of authentication of public key information across time and space is the web of trustIn cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user. It is, in some respects, an alternative to centralized PKI reliance exclusi scheme, which uses self-signed certificates and third party attestations of those certificates. Examples implementations of this approach are GPG (The GNU Privacy Guard), and PGP (Pretty Good Privacy). Because of PGP's (and clones') extensive use in email, the Web of Trust originally implemented by PGP is the most widely deployed bidirectional PKI extant at this writing ( 2004).
An even newer and rapidly growing alternative is the simple public key infrastructure (SPKI) that grew out of 3 independent efforts to overcome the complexities of X.509 and the anarchy of PGP's web of trust. SPKI binds people/systems directly to keys using a local trust model, similar to PGPs web of trust, with the addition of authorisation integral to its design.
