Understanding PKI - Part 2

by Russ Rogers - 7/18/2000

In the previous article about PKI, we just covered a simple overview of how Public Key Infrastructure (PKI) works. This issue, we'll go more into detail about the various registration and certificate authorities that help make this system reliable for end users. Typically, the end user only has knowledge about the PKI-enabled application that they use on their desktop. But there is a lot more happening behind the scenes.

Aside from the application that the user is using, there is also a Certificate Authority (CA)and a Registration Authority (RA) that help maintain the validity of all issued certificates.

Certificate Authority

As we mentioned before, a digital certificate identifies a network user. The process of associating a particular certificate with a particular user is called "certification". This process is done by the Certificate Authority (CA). The CA verifies the identity of the person requesting te certificate through traditional methods; driver's license, birth certificate, etc. This process is called vetting. Each certificate is only valid for a specified period of time. If it is not renewed, it expires and becomes invalid.

The CA will receive requests from other agents asking it to verify the validity of a user's certificate. These requests typically only concern users for which that CA initially issued the user's certificate. If the information sent to the CA for verification matches the user on file, then the CA sends back a validation to the requesting agent. If any information on the request no longer matches (name change, etc), then the certificate is said to be invalid.

Registration Authority

A Registration Authority is an approval agent for the issuance of a new certificate. They do not actually issue the certificate, but they act strictly as a vetting agent. Once they have verified the actual identity of the user, they will sent the approval to the CA, who will actually issue the certificate.

Using both a CA and a RA allows a company to have a central Registration Authority and multiple Certification Authorities at regional branches. It provides a method for tracking both approval and certification activities within the company.

Applications for PKI

These generated certificates are used by users to access secure web sites, email, or communicate through a Virtual Private Network ( VPN). Corporations use it for access into internal networks via a firewall. Web browsers use certificates to enable secure connections for online purchasing and identity verfication. The goal is to provide transparent, yet secure, access for users to these resources. PKI simply provdes the best known methodology for achieving these goals.