Ken Myers

Identity is all around us. Let's make sense of it.

Follow me on GitHub

Reproduced here from LinkedIn

Top Three Uses for Public Key Infrastructure (PKI)
Kenneth Myers December 4, 2017 5 min read

Public Key Infrastructure or PKI has been around for more than twenty years (thirty?!?) and just like any twenty-year-old, it may have finally found its home with device protection. When PKI first hit the scene, it was revolutionary. A way to share information without sharing the same secret key with multiple people (An excellent primer on PKI is on Khan Academy) .

It had a private key which only the owner would “know” and a public key which they used to share information. The secret in the sauce lay in that the numbers or keys were so big it would be almost impossible for either a person or computer to guess the two and decipher a message. I like the Khan Academy example of using colors for everyone who is either new to PKI or a fan of analogies (me!).

PKI can be broken down by either the user and uses.

User: People or Non-People
Uses: Authentication, Signature, or Encryption

There are only two types of PKI users; people and non-people (e.g., devices such as printers, servers, and other “things”). There are a lot of different fine-grained PKI type, but three essential uses; authentication, signature, and encryption. Someone or something is either using PKI to authenticate to something else, signing a digital artifact like a document or a challenge/response, or encrypting information. One important point to keep in mind is digital signatures are a form of electronic signature and not vice versa. A digital signature is a cryptographically secure signature (e.g., with math!). An electronic representation of your signature is not a digital signature (in most cases). Based on these uses, non-people or device PKIs have found the broadest success thanks to the internet.

PKI implementation and maintenance can be challenging without the proper third-party integration and user education. APIs and plug-ins provide flexibility, but native, default support is the key to success. Native in this context is “out-of-the-box” support. No need to change anything because it works as expected from the factory. Native support is a key because PKI is customizable in some different ways through certificate extension configurations. PKI extensions allow a PKI owner to limit the types of certificates trusted, number of certificates in a validation chain, or validation checking. Without native support, an organization may be operating in a false sense of security that only certificate types of certificates are trusted. From this perspective, the WebPKI or the network of websites secured with PKI certificates (almost all at this point) demonstrates the need for agreed-upon standards between both those who issue certificates and the software that validates them.

PKI is not a “one-size fits all” solution. It may work great for desktops, websites, and printers, but email or mobile is a whole new ball game. Leveraging PKI for low-risk transactions or situations where a lower assurance credentials are sufficient may not be necessary. PKI is advantageous for the following use cases until something better comes along:

- People authentication to high-risk websites or networks.
- Data-at-rest and in-transit encryption.
- Digital signature on documents (not to be confused with electronic signature solutions like DocuSign, but DocuSign is more natural to use and provides comparable assurance)

PKI can be a great tool but is not a one-size-fits-all solution. It requires both trusted operations and recognition by business partners to have any return on investment outside of the owning organization. The most extensive use of PKI today is with devices, specifically websites, and its adoption continues to grow to other types of devices.

Did I miss something or need a better explanation? Leave a comment!