Public Key Infrastructure (PKI) is a framework that consists of hardware, software, policies, standards, and people working together to create, manage, distribute, use, store, and revoke digital certificates based on asymmetric cryptography (public and private keys).
Thank you for reading this post, don't forget to subscribe!The primary objective of PKI is to enable secure, scalable, and reliable communication over untrusted networks such as the Internet by ensuring:
- Authentication (verifying identity),
- Confidentiality (keeping data private),
- Integrity (ensuring data is not altered), and
- Non-repudiation (proof of origin).
Why Trust Models Matter in PKI:
Trust models define how trust is established and managed among the various entities in a PKI system. Since PKI relies on Certificate Authorities (CAs) to issue and manage certificates, the structure of trust relationships affects the security, efficiency, and scalability of the system.
PKIX (Public Key Infrastructure using X.509) Trust Model Components:
PKIX is a widely adopted standard defined by the IETF and based on X.509 certificates. It outlines a trust framework that includes several essential components:
1.) End Entity:
- An End Entity is any system or individual that uses or supports PKI services, including users, devices (e.g., servers, routers), or applications.
- End entities are typically the consumers of certificates. They are issued digital certificates to authenticate themselves and establish secure communications. They do not issue certificates themselves.
2.) Certificate Authority (CA):
- A Certificate Authority (CA) is a trusted entity responsible for issuing, validating, and revoking digital certificates.
The CA is the core of the trust model in a PKI. It digitally signs the certificate using its private key, and its public key is widely trusted and distributed to verify certificates. There can be:
- Root CA: The top-level, self-signed CA.
- Intermediate CA: Subordinate to the Root CA, helps scale and segment trust.
3.) Registration Authority (RA):
- A Registration Authority is an entity that acts as a mediator between end entities and the CA, handling certificate request validation and identity verification.
- RAs do not issue certificates but verify the identity of users or devices requesting them. After approval, they forward requests to the CA for certificate generation. This division improves security and efficiency.
4.) CRL Issuer:
- A CRL Issuer is an optional component delegated by a CA to publish Certificate Revocation Lists (CRLs).
- This entity may be separate from the CA for scalability or security reasons. It ensures that revoked certificates are made public, allowing relying parties to validate whether a certificate is still trustworthy.
5.) Repository:
- A Repository is a system or platform that stores and distributes certificates and CRLs so that they are accessible to end users and applications.
Repositories can be LDAP servers, HTTP servers, or directory services. They allow clients to retrieve:
- Certificates of communication partners
- CA public keys
- Certificate Revocation Lists (CRLs)
Common PKI Trust Models:
There are several ways PKI trust can be organized. The three most common trust models include:
1.) Hierarchical Trust Model (Tree Model):
- A single Root CA issues certificates to multiple Intermediate CAs.
- Intermediate CAs issue certificates to end entities.
- All trust flows from the Root CA.
- Scalable, commonly used in corporate and public systems.
2.) Web of Trust (Decentralized Model):
- No central authority.
- Each participant can issue and sign certificates for others.
- Trust is subjective and based on relationships, commonly used in PGP.
- Hard to scale and verify in large systems.
3.) Mesh or Cross-Certification Model:
- Multiple CAs trust each other through cross-certification.
- Each CA can issue certificates to other CAs.
- Enables federated environments (e.g., government agencies).