Tarah Wheeler

PKI or public key infrastructure is about how two entities learn to trust each other in order to exchange messages securely. You may already know that Kerberos and the KDC (Key Distribution Center) work on a shared-secrets principle, where users can go to a central authority and get authorization to communicate and act in a given network. PKI is a more complex system that understands lots of different networks in which some keys you already trust can delegate their trust (and hence yours) to other keys you don’t yet know.

There are five parts of certificate or web PKI:

Certificate authorities (CAs)

The granting bodies for public/private keys are in practice a form of verification to grease organizational wheels when there’s no other method of demonstrating that you are who you say you are…a function of identity.

Registration authorities (RAs)

These have what is essentially a license to issue certificates based on being trusted by the CA, and dependent upon their ability (which is sometimes outsourced) to validate organizational identity in a trustworthy way. CAs issue certificates, and RAs verify the information provided in those certificates.

Certificate databases

These databases store requests for certificates as opposed to the certificates themselves.

Certificate stores

Stores hold the actual certificates. I wasn’t in charge of ...