In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the assurance level of the binding, may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the registration authority (RA), which ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.
Public-key cryptography is a cryptographic technique that enables users to securely communicate on an insecure public network, and reliably verify the identity of a user via digital signatures.
A PKI is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital signature certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed.
- A public-key infrastructure (PKI) consists of:
- A certificate authority (CA) that both issues and verifies the digital certificates
- A registration authority which verifies the identity of users requesting information from the CA
- A central directory—i.e., a secure location in which to store and index keys
- A certificate management system
- A certificate policy
Methods of certification
Broadly speaking, there are three approaches to getting this trust: certificate authorities (CAs), web of trust (WoT), and simple public-key infrastructure (SPKI).Certificate authorities
The primary role of the CA is to digitally sign and publish the public key bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. When the CA is a third party separate from the user and the system, then it is called the Registration Authority (RA), which may or may not be separate from the CA. The key-user binding is established, depending on the level of assurance the binding has, by software or under human supervision.
The term trusted third party (TTP) may also be used for certificate authority (CA). Moreover, public-key infrastructure (PKI) is itself often used as a synonym for a CA implementation.
Temporary certificates and single sign-on
This approach involves a server that acts as an online certificate authority within a single sign-on system. A single sign-on server will issue digital certificates into the client system, but never stores them. Users can execute programs, etc. with the temporary certificate. It is common to find this solution variety with X.509-based certificates.
Web of trust
An alternative approach to the problem of public authentication of public-key information is the web-of-trust scheme, which uses self-signed certificates and third party attestations of those certificates. The singular term "web of trust" does not imply the existence of a single web of trust, or common point of trust, but rather one of any number of potentially disjoint "webs of trust". Examples of implementations of this approach are PGP (Pretty Good Privacy) and GnuPG (an implementation of OpenPGP, the standardized specification of PGP). Because PGP and implementations allow the use of e-mail digital signatures for self-publication of public-key information, it is relatively easy to implement one's own web of trust.[citation needed]
One of the benefits of the web of trust, such as in PGP, is that it can interoperate with a PKI CA fully trusted by all parties in a domain (such as an internal CA in a company) that is willing to guarantee certificates, as a trusted introduce. Only if the "web of trust" is completely trusted, and because of the nature of a web of trust, trusting one certificate is granting trust to all the certificates in that web. A PKI is only as valuable as the standards and practices that control the issuance of certificates and including PGP or a personally instituted web of trust could significantly degrade the trustability of that enterprise's or domain's implementation of PKI.
The web of trust concept was first put forth by PGP creator Phil Zimmermann in 1992 in the manual for PGP version 2.0:
As time goes on, you will accumulate keys from other people that you
may want to designate as trusted introduces. Everyone else will each choose
their own trusted introduces. And everyone will gradually accumulate and
distribute with their key a collection of certifying signatures from other
people, with the expectation that anyone receiving it will trust at least one
or two of the signatures. This will cause the emergence of a decentralized
fault-tolerant web of confidence for all public keys.
|
Simple public-key infrastructure
Another alternative, which does not deal with public authentication of public-key information, is the SPKI that grew out of three independent efforts to overcome the complexities of X.509 and PGP's web of trust. simple public-key infrastructure does not associate users with persons, since the key is what is trusted, rather than the person. simple public-key infrastructure does not use any notion of trust, as the verifier is also the issuer. This is called an "authorization loop" in simple public-key infrastructure terminology, where authorization is integral to its design.
Apply online Digital Signature Certificate by DSM
I'm very new to the topic of public key infrastructure, so thanks for providing such a simplified piece of information. Also the issue of certification authority became very clear to me.
ReplyDeleteThis was a very informative read! Data security is a top concern for organizations. Do you have any recommendations on the best digital signature providers in delhi for maximum security.
ReplyDelete