|
|
How does it work?
A PKI is made up of several central systems known as Certification
Authorities (CA). These CAs are logically set up in a tree-like
hierarchial structure. Each user's Public Key and identification are
placed in a message (certificate). The user's CA will digitally sign
each certificate and make the user's Public Key certificate available
through publicly accessible bulletin boards (i.e., X.500 Directories)
along with all other users' certificates. Therefore any user will be
able to get any other user's Public Key from a bulletin board and
verify that it is authentic by using the CA's Public Key to verify the
CA's signature on the certificate. The CA at the top of the hierarchy
will sign the certificates containing the Public Keys of CAs directly
subordinate to it and these CAs will sign the certificates of any
other CAs below themselves and so on. This process allows Public Keys
that are signed by other CAs in the infrastructure to be verified,
since a chain of trust has been set up between CAs in the
infrastructure.
|