Public key infrastructure

The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.

In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations).

Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision.

RAs, however, do not sign or issue certificates (i.e., an RA is delegated certain tasks on behalf of a CA).

A third-party validation authority (VA) can provide this entity information on behalf of the CA.

Confidentiality: Assurance that no entity can maliciously or unwittingly view a payload in clear text.

Perhaps the most common use of PKI for confidentiality purposes is in the context of Transport Layer Security (TLS).

[8][9][10] A PKI consists of:[9][11][12] The primary role of the CA is to digitally sign and publish the public key bound to a given user.

To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share."

[22][23][24][25] This approach involves a server that acts as an offline certificate authority within a single sign-on system.

A single sign-on server will issue digital certificates into the client system, but never stores them.

In cases where the DID registry is a distributed ledger, each entity can serve as its own root authority.

[29][30] Developments in PKI occurred in the early 1970s at the British intelligence agency GCHQ, where James Ellis, Clifford Cocks and others made important discoveries related to encryption algorithms and key distribution.

[31] Because developments at GCHQ are highly classified, the results of this work were kept secret and not publicly acknowledged until the mid-1990s.

With the invention of the World Wide Web and its rapid spread, the need for authentication and secure communication became still more acute.

Commercial reasons alone (e.g., e-commerce, online access to proprietary databases from web browsers) were sufficient.

Taher Elgamal and others at Netscape developed the SSL protocol ('https' in Web URLs); it included key establishment, server authentication (prior to v3, one-way only), and so on.

An American Bar Association technology project published an extensive analysis of some of the foreseeable legal aspects of PKI operations (see ABA digital signature guidelines), and shortly thereafter, several U.S. states (Utah being the first in 1995) and other jurisdictions throughout the world began to enact laws and adopt regulations.

PKIs of one type or another, and from any of several vendors, have many uses, including providing public keys and bindings to user identities which are used for: Some argue that purchasing certificates for securing websites by SSL/TLS and securing software by code signing is a costly venture for small businesses.

This would mean that, to get the speed benefits of HTTP/2, website owners would be forced to purchase SSL/TLS certificates controlled by corporations.

This means browsers need to carry a large number of different certificate providers, increasing the risk of a key compromise.