Welcome to

PKI University

Frequently Anticipated Questions

Q: What is PKI?

PKI is a set of construction materials.

Q: What do the initials PKI stand for?

Historically they have stood for "Public Key Infrastructure." This set of construction materials depends upon things called public keys and private keys, but only public keys are considered to be part of it, as reflected in the name.

Q: Why is that?

Here's one explanation.



Q: How does a computer technology become a set of construction materials?

Think about buildings for a moment -- bounded indoor spaces where we can have private meetings, keep our files, let our kids hang out away from open, unprotected outdoor spaces. Interior and exterior walls that meet building codes create protected spaces that are designed for the use of specific groups of people for specific purposes. Building codes and occupancy permits assure that office buildings and residences and meeting halls provide spaces where people can gather and share information apart from the busy roadways that transport us to the buildings.

One thing we typically don't have to pay a lot of attention to are the identities of the people entering a building. Familiar faces or business cards and other cues tell us who is in the room with us, or who is asking to proceed beyond the reception desk. In movies, spies know how to subvert such informal systems of recognition, but in normal circumstances they work quite well; subverting such systems is risky and difficult.

Online buildings provide similar benefits to physical buildings. You can have spaces that are private and secure, where you know that private information stays private, and you can know that those in a room with your kids are who they say they are. You can have all this without the complex and faulty systems that rely upon the impossible task of determining the intentions of senders of streams of bits.

The one big difference between physical buildings and online buildings involves identity. We can rely upon intuition and informal cues to determine identity in most physical circumstances, but that does not work online. Conversely, when we establish reliable identity credentials using PKI technology, we have a high level of confidence that people are who they say they are.

Q: But what, really, is PKI? If it's a set of construction materials, how does it work? What's it made of? 

PKI starts with pairs of numbers called keys. The numbers are mathematically related, such that any "puzzle" made with either key may only be solved using the other key in the pair.

Every user in a PKI gets a key pair for making and solving puzzles.  One of the keys, or numbers, is kept secret, while the other may be freely shared with anyone.

So if you want to send a message or a file  in secret, you look up the recipient's public key and make a puzzle out of the message or file using the recipient's public key. Only one person in the world can solve that puzzle and read the message or file: the person with the private key that goes with that particular public key. Your intended recipient is the only person who can read it.

If on the other hand your concern isn't secrecy but you do want your recipient to know that a message or file really came from you and not some impostor, and you want your recipient to know that it hasn't been changed by anyone after you sent it, you would use your own private key to make a puzzle from a condensed form of your file or message. When your recipient solved the puzzle with your public key he (or anyone else) could see that it really came from you and has not been altered.

So you can see that PKI relies upon private keys as well as public keys, and that the making and solving of puzzles is the essence of PKI. So we'll call the user's pair of keys a puzzle kit, and we'll let PKI stand for Puzzle Kit Infrastructure.  

Now, if I know you well and you have shared your public key with me in person, then I can be confident that a message signed by you is really from you. But PKI's real value is bringing authenticity to the Internet, where we often deal with people we haven't met. We also deal with people we know well, but we're not about to spend valuable face time with them exchanging keys.

Just as our physical world calls for passports and drivers' licenses and birth certificates issued by public authority to attest that we are who we say we are, in the online world we need a certification authority that we trust to attest that a particular public key really does belong to the person who claims it. The certification authority signs public keys using the same process that we use to sign messages and files.

The signed public key, plus any information that goes with the key (such as the identified person's name) is called a certificate. Sometimes the term certificate has been used to refer to both the signed public key and the corresponding private key. This is both incorrect and immensely confusing.

So, a PKI - Puzzle Kit Infrastructure - consists of puzzle kits, one for each person involved, and a certification authority that signs public keys. If it's properly designed, a PKI provides authenticity, confidentiality, and manageability.

"Properly designed" means that those who rely upon a PKI must be able to know how rigorous was the enrollment process that assigned puzzle kits (public and private keys) to its members. The certification authority must be a reliable source of information about the reliability of identities.

How well has PKI fulfilled its goals of providing widespread authenticity, security and manageability? How reliable has "old" PKI - the one that stands for Public Key Infrastrucutre - proven to be?

The story of PKI has been a lot like the story of other construction materials.