Public key infrastructure (PKI) is a framework that consists of hardware, software, and policies that exist to manage, create, store, and distribute keys and digital certificates. Although PKI is not needed for small groups, exchanging keys becomes difficult as the groups become bigger. To respond to this need, PKI was developed. The components of the PKI framework include the following:
- Not Before
- Not After
Subject Public Key Info
- Public Key Algorithm
- Subject Public Key
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Trust isn't a problem in small organizations, but when you need to communicate within large organizations, with external clients, and third parties, it's important to develop a working trust model. Organizations typically follow one of several well-known trust models. Three of the most common include
A single authority trust model uses a single third-party central agency. This agency provides the trust, the authority, and any keys issued by that authority. An example of this is shown in Figure 12.9.
Figure 12.9. Single trust model.
The hierarchical trust is actually a rather common model. It is based on the principle that people know one common entity in which they truly trust. This top layer of trust is known as the root CA. The root CA can issue certificates to intermediate CAs. Intermediate CAs issue certificates to leaf CAs. Leaf CAs issue certificates to users. An example of this is shown in Figure 12.10.
Figure 12.10. Hierarchical trust model.
Web of Trust
A web of trust consists of many supporters that sign each other's certificates. Users are validated on the knowledge of other users. PGP is an example of an application that uses the web of trust model. A vulnerability of the web of trust is that a malicious user can sign bad or bogus keys and endanger the entire group. An example of the web of trust can be seen in Figure 12.11.
Figure 12.11. Web of trust model.
Protocols, Standards, and Applications