Sistema de blogs Diarium
Universidad de Salamanca
Pablo Gallardo's Blog
My professional web log about IT, Cybersecurity & Project Management

Public Key Instrastructure (PKI)

Before reading this article, you may find useful to have a look at the preliminary post about encryption concepts for IT, that explains step-by-step the needs for a Public Key Infraestructure.

What is a Public Key Infrastructure (PKI)?

When establishing a communication between a sender and a receiver through a network, they may see convenient to have a trusted third party that is in charge of distributing the public keys to the agents involved in communication. These public keys would be digitally signed by the trusted third party.

In order to distribute public keys, this third party forges a digital certificate by appending the signed subscriber’s public key with details of the subscriber’s identity.

The organizational structure to distribute digital certificates through a third party is called Public Key Infrastructure (PKI).

The goal of using a third party, PKI and digital certificates is to achieve authentication during the communication, and removing vulnerabilities to man-in-the-middle (MITM) attacks.

A PKI is composed of:

  • Subscriber
  • Certification authorities (CA)
  • Registration authorities (RA)
  • Certification Revocation List (CRL)
  • Certificate Practice Statement (CPS)

A subscriber or end entity is an entity that is participating in a PKI and is the subject of a certificate.

Certification Authority (CA) is how the trusted third party in charge of distributing certificates is called in PKI.

CA maintains a Certification Revocation List (CRL), that contains all compromised certificates, it means, certificates that have been leaked, lost, etc.

Certificates usually contains a Certificate Practice Statement (CPS), that provides information about how the CA issue certificates.

A CA can delegate some specific functions to a Registration Authority (RA). It is not mandatory to have a RA different to CA. Functions of RA are not fixed, but it is mainly to verify the identity of the subscriber.


You might also be interested in…

External References


About pmgallardo

I studied Computer Science at University of Salamanca. Since then, I have been working first as developer and then as SAP consutant. This blog is about problems I dealt when using computers, and more important, the solutions I found. Whenever I am on an issue and suddenlly I have a flash that leads me to a solution, I document my discoveries in a post.
No comments yet.

Leave a Reply


Política de privacidad
Studii Salmantini. Campus de excelencia internacional