Public Key Infrastructure is a foundation for trusted communication
When we talk about SSL, Certificate Authorities, browser trust, and all the other regular topics on this blog, we are talking about components of a system called the Web PKI. This is the system that supports “HTTPS,” providing the means for issuing and distributing the certificates used to identify websites.
But there are many other systems out there which use certificates and public key cryptography to securely transfer data and provide authentication.
PKI – or Public Key Infrastructure – simply refers to a system which manages public key certificates (“certificates”) as a means of identifying computers and devices. The term “infrastructure” here is quite straightforward and refers to the method of managing and distributing said certificates. This includes both the technical systems and policies.
This foundational technology can be adapted to all sorts of systems and networks.
The other foundation of PKI is X.509. This is a format for certificates that provides a standard that software can support. Most certificates you encounter – including SSL and Code Signing certificates – are in the X.509 format.
The Web PKI’s infrastructure is a number of Certificate Authorities (CAs) that are responsible for issuing certificates to individual users, which in this case are (primarily) websites – such as Google.com. The browsers and operating systems – which get to decide what CAs are trusted on their platform – are another major component.
The Web PKI is just one example of a real-world use of the PKI system. There are many others, like the IoT PKI. Or how about a PKI for cars? There are even ways to combine the blockchain – the hyped-up foundation of many cryptocurrencies like Bitcoin – with PKI.
Sometimes these can be ‘miniature’ versions of the Web PKI, such as a private PKI used within an enterprise. Major companies like Disney operate their own PKI. Then you have even broader systems, like the Internet PKI which includes things like email certificates in addition to the Web PKI.
A medical device manufacturer could use PKI to allow their devices to securely communicate with each other or with a central server. A hospital could use PKI to allow all those different devices within the building to communicate.
PKI is an incredibly flexible tool – though one that is very difficult and time-consuming to manage. Many organizations who want to deploy their own PKI choose to pay for a CA to take care of this for them. In the industry we refer to this as MPKI – Managed PKI – essentially PKI-as-a-service.
Some major CAs from the Web PKI provide other PKI products. DigiCert, for instance, has an entire PKI platform dedicated to Internet-of-Things devices.
Just as PKI can be adapted to any number of uses, so can X.509 certificates. The exact data and fields contained within the certificate can be changed as needed. For instance, an SSL certificate is issued to a particular website. But other PKIs may be identifying different things, such as a physical device, and would instead opt for issuing certificates to that device’s serial number or other unique identifier.
In short – PKI is a foundation for establishing trusted communication on a network. It’s exact implementation can be adapted to fit all sorts of uses. While we mainly know of the Web PKI due to its public nature, there are many other systems out there allowing us and our computers to communicate securely.