A non-user's guide to PKI

Public-key Infrastructure (PKI) is the term that is often used to describe the hardware, software, processes and policies that come about in managing a public-key system.

Having such an infrastructure would allow users to perform secure communications with others that they couldn't physically see in a more convenient manner.

There are several elements that need to be in place before the system can work. And though these may vary in name from case to case, they tend to perform similar roles, with some exceptions.

A typical public key infrastructure may consist of:

• A certificate authority (CA) that issues and verifies digital certificates. A certificate includes the public key or information about the public key, and establishes the credentials of its owner when doing business or transactions, typically over a period of time before expiring. The CA also revokes an expired certificate.
• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor. In some countries, RAs can be government or semi-government entities, while also being independant bodies in other countries.
• One or more directories where the certificates (with their public keys) are stored for reference and verification.
• A certificate management system, which includes staffing for the administration of the RA and CA, generating, distributing and managing key pairs and digital certificates.
  

The system works in such a way:

1. Both the public and private key are created simultaneously using the same algorithm.
2. The private key is kept secret by, while the public key is listed in an accessible directory.
3. Messages to the owner of the private key are encrypted using the public key, and decrypted using the private key only.
4. Messages from someone can be verified if they use their private key to encrypt a 'digital signature' that can only be decrypted using their public key - this authenticates that the sender is really who he says he is.
   

As you can see, the system requires a number of authenticating bodies to verify the validity of the information being sent or received.

As of yet, digital signatures are not legally recognized as binding in every country, though there are strong initiatives from many countries to start doing so.