Public Key Infrastructure
A public key infrastructure (PKI) is a set policies, practices, functional components, hardware, software and procedures needed to request, manage, distribute, and validate digital certificates, which offer public-key encryption based confidentiality, integrity, authenticity and non-repudiation capabilities. Public Key Infrastructure is the backbone of online security and is used on a daily basis for to secure for example e-commerce, internet banking, eGovernment, electronic contract signing or email protection.
A PKI issues public-key certificates which, according to RFC 3647 is defined as “a public-key certificate (hereinafter “certificate”) binds a public key held by an entity (such as person, organization, account, device, or site) to a set of information that identifies the entity associated with use of the corresponding private key. In most cases involving identity certificates, this entity is known as the “subject” or “subscriber” of the certificate”.
The PKI is responsible to validate the identity of the person of device represented in the digital certificate and to ensure that this identity is binded to the public key included in the certificate. The digital certificate needs to be issued following a specific certificate profile (typically documented in the Certificate Policy) and issued following the requirements defined in the Certification Practice Statement.
PKI Governance
The value of the identity represented in a digital certificate solely depends on how the PKI validated the identity of the subject represented in the digital certificate (identity vetting in WebTrust terminology or Identity Proofing in eIDAS terminology). Additionally, various other policies and procedures and well as specific software and hardware requirements need to be fulfilled to create a trustworthy eco-system, where relying parties can trust the identity claim included in a digital certificate.
During the design of the PKI, the following policies and procedures need to be considered (not exhaustive):
PKI Architecture
The design of a PKI can be very complex and needs to consider the specific environment and use cases for which the PKI will be used:
Based on these considerations, the PKI hierarchy, functional roles, architecture and technical design of the eco-system can be established.
The Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement.
The Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile defines the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices.
The X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs).