Blockchain & Cryptocurrency Glossary

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

  • search-icon Clear Definitions
  • search-icon Practical
  • search-icon Technical
  • search-icon Related Terms

Public Key Infrastructure

1 min read
Pronunciation
[puhb-lik kee in-fruh-struhk-cher]
Analogy
Think of PKI as the entire global passport system. It's not just the passport itself (the digital certificate), but also the passport offices that issue them (Certificate Authorities), the laws governing who gets a passport, the databases to check if a passport is valid or stolen (Certificate Revocation Lists), and the border agents who verify them. PKI is the whole framework that makes digital certificates trustworthy and usable on a large scale.
Definition
A set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
Key Points Intro
PKI provides the framework for establishing trust in digital identities and public keys.
Key Points

Enables secure electronic transfer of information for a range of network activities like e-commerce, internet banking, and confidential email.

Core components include Certificate Authorities (CAs), Registration Authorities (RAs), digital certificates, Certificate Revocation Lists (CRLs), and certificate repositories.

Relies on a hierarchy of trust, often rooted in a few trusted root CAs.

Manages the lifecycle of digital certificates: issuance, renewal, and revocation.

Example
The system that allows your web browser to trust HTTPS websites is based on PKI. Your browser has a list of trusted root CAs. When a website presents its SSL/TLS certificate, the browser verifies that it was issued by a CA in its trust store (or by an intermediate CA whose certificate chains back to a trusted root CA).
Technical Deep Dive
PKI architecture often involves a hierarchical trust model. Root CAs issue certificates to Intermediate CAs, which in turn can issue certificates to end-entities (like websites or users). A Registration Authority (RA) is often responsible for verifying the identity of entities requesting certificates before the CA issues them. Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) are used to check if a certificate has been revoked before its expiration date (e.g., if its private key was compromised). Policies and procedures (Certificate Policy - CP, and Certification Practice Statement - CPS) govern the operation of the PKI.
Security Warning
The security of a PKI relies heavily on the security and trustworthiness of the Certificate Authorities, especially root CAs. If a CA is compromised, it could issue fraudulent certificates, undermining trust. Keeping CA private keys secure is paramount. Timely certificate revocation is also crucial.
Related Terms
PKI
Digital Certificate
Public Key Cryptography

Public Key Infrastructure - Related Articles

No related articles for this term.