A set of services that support the use of public key cryptography in a corporate or public setting. A public key infrastructure (PKI) enables key pairs to be generated, securely stored, and securely transmitted to users so that users can send encrypted transmissions and digital signatures over distrusted public networks such as the Internet.
An effective, trustworthy public key infrastructure is essential for secure e-mail and World Wide Web (WWW) transactions, e-commerce, and virtual private networks (VPNs).
Generally, a public key infrastructure consists of the following coordinated services:
Public key infrastructures can have different scopes. For example, a corporate enterprise can use Microsoft Certificate Server to establish a PKI for all its users and for those of partner companies such as suppliers and wholesalers. The PKI system can then be used to secure transactions between users that are sent over the Internet. PKIs can also be established on a national or global scale to support secure e-commerce transactions over the Internet involving users and vendors who are geographically and politically separated. PKIs on this scale consist of a hierarchy of CAs managed by different governments or companies and linked to a trusted root CA (such as the U.S. government). The current leader in worldwide PKI implementation is probably VeriSign, Inc., which is both a vendor of CA software and a CA.
In order for a public key infrastructure to work, it must be implemented in a hierarchical fashion with authorities, super-authorities, and root authorities, similar to the Internet’s Domain Name System (DNS). Standards bodies and cryptography vendors such as PKIx of the Internet Engineering Task Force (IETF), Pretty Good Privacy (PGP), Simple Public Key Infrastructure (SPKI), and Public Key Cryptographic Standards (PKCS) have proposed a global public key infrastructure, but there is no universal standard that has been agreed upon for a public key infrastructure, and implementations of the existing standards are often not interoperable.