Public key infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working in a comprehensive manner to enable a wide range of dispersed people to communicate in a secure and predictable fashion.
PKI is an ISO authentication framework that uses public key cryptography and the X.509 standard. The framework was set up to enable authentication to happen across different networks and the Internet.
PKI provides authentication, confidentiality, nonrepudiation, and integrity of the messages exchanged.
PKI is made up of many different parts: certificate authorities, registration authorities, certificates, keys, and users.
The certificate is created and signed (digital signature) by a trusted third party, which is a **certificate authority (CA).**When the CA signs the certificate, it binds the individual’s identity to the public key, and the CA takes liability for the authenticity of that individual.
A CA is a trusted organization (or server) that maintains and issues digital certificates. When a person requests a certificate, the registration authority (RA) verifies that individual’s identity and passes the certificate request off to the CA. The CA constructs the certificate, signs it, sends it to the requester, and maintains the certificate over its lifetime.
Cross certification is the process undertaken by CAs to establish a trust relationship in which they rely upon each other’s digital certificates and public keys as if they had issued them themselves.
The CA is responsible for creating and handing out certificates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certificate information is stored on a certificate revocation list (CRL).
Online Certificate Status Protocol (OCSP) is being used more and more rather than the cumbersome CRL approach.OCSP checks the CRL that is maintained by the CA.
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:3.18 公钥基础设施