PKI Fundamentals
  • What is Public Key  Infrastructure?
  • Components of a PKI
    • Public Key Infrastructure is Personnel, Policy, Procedures, and a core (public/private key) technology to bind users to digital identifications so that applications can provide the desired security services.
    • Responsible for all aspects of certificate issuance and certificate management.
    • Identification and authentication of subscribers
    • Registration
    • Certificate manufacture
    • Certificate publication
    • Certificate revocation
    • Certificate renewal/re-key
    • CA’s are often grouped into hierarchical levels
      • Root CA
      • Subordinate CA
    • Registration Authority (RA) – Authorizes creation of a certificate and provides validated user information to the CA.
      • Entity that enters into an agreement with a Certificate Authority to collect and verify the subscriber’s identity an other information to be entered into the digital certificate.
      • RA’s are sometimes grouped into hierarchies
        • Local Registration Authority (LRA)
      • Existing constructs sometimes used to perform this function
        • Notaries
    • Subscriber – Person (end user) who requests and uses a digital certificate.
      • Subscriber/User – an individual who owns a digital certificate (digital identity).
      • Digital certificates may be stored in various formats.
        • Software (floppy disk, file on computer)
        • Hardware (Smart Card)
    • Relying Party – Application and/or user who trusts the certificate.
    • Directory (Repository) – Device used to store and retrieve digital certificates and Certificate Revocation Lists (CRL’s). A CRL is a list of non-valid (revoked) certificates.
      • The directory is used for storing and retrieving certifications or other information relevant to digital certificates and certificate revocation lists.
        • Analogous to a phone book
        • Searchable
      • Typical Uses
        • Finds and retrieves the certificate of an individual in order to send an encrypted email
        • Obtains a CRL