|
Certificates and PKI
Draft: Why PKI? (PDF) -
HEPKI -
S/MIME -
Internet2 PKI Labs
There is considerable interest in the use of X.509 certificates to address a number of network computing needs in higher education. The technology itself is powerful and elegant, but there are several major challenges to the widespread successful use of certificates. This page discusses some of these issues.
The software, protocols and legal agreements that are necessary to effectively use certificates combine to form a Public Key Infrastructure (PKI). A PKI has several components.
- A Certificate Authority (CA), that manages and signs certificates for an institution
- Registration Authorities, operating under the auspices of the CA, that validate users as having been issued certificates
- PKI management tools, including software to manage revocations, validations and renewals
- Directories to store certificates, public keys, and certificate management information
- Databases and key-management software to store escrowed and archived keys
- Applications that can make use of certificates and can seek validation of others' certificates
- Trust models that extend the realm of secure communications beyond the original CA
- Policies that identify how an institution manages certificates, including legal liabilities and limitations, standards on contents of certificates, and actual campus practices
Among the potential uses for certificates are individual authentication, email encryption, digital signatures, and access controls. Each of these uses can place different requirements on the PKI components. For example, private keys for encryption may be escrowed, while private keys for signatures may not be.
References
Certificate profiles and sample certificates, collected by HEPKI-TAG
Digital Library Federation digital certificates prototype
Federal PKI Technical Working Group
|
