Public Key Infrastructure (PKI) has lately been the topic of a number of discussions in the information security community because of high profile security breaches, modernization in web application frameworks, and developments in the information security industry. This article explains the role of commercial Certificate Authorities (CAs) in offering PKI services for SSL secured websites,the issues facing CA, the PKI trust using CA, and forthcoming developments to take care of the challenges facing public PKI.
What is Public Key Infrastructure (PKI)?
Public Key infrastructure (PKI) technology, uses public key cryptography and solves the basic problem of allowing two parties (devices, people, applications, websites, etc) that have no existing relationship or trust for each other to exchange sensitive information. PKI tries to solve this issue by making a way for these parties to utilize a trusted third party to affirm each others identities.
This article focuses entirely on the usage of PKI for SSL certificates that are used on public internet.
Since the ultimate consumer, who is visiting a website for the first time, has almost no information that can be used to validate a website, they depend on services by Certificate Authority (CA). A CA is an organization that works as a trusted third party for SSL certificates issued to website operators.
Building Trust in the PKI Model
In the public PKI structure, there are usually three basic points on which trust decisions are made: commercial CA is trusted by browser vendors for inclusion in their software, end users choose/use browser software that they think are trustworthy, and identity of commercial SSL websites are vouched by CA.
Trusting Commercial CA
The commercial CA market and browser vendors usually agree to a set of audit standards, which outline security practices that should be implemented by commercial CA and should be followed during the course of certificate issuing to website operators. Presently, the practices focus on making sure that the CA protects the key material related with root certificates, satisfactorily implements to avoid fraudulent certificate issuance and performs perseverance in – ensuring that the website owner is who he claims to be.
Trusting Website Operators
The task of approving the ownership of a website and confirming the identity of the organization operating. For confirming the ownership of a website, CA usually approves that a person is presenting a request for a SSL certificate for a particular website and he is allowed to do so by consulting the information present within the DNS records of a website.