Public key infrastructure (PKI) refers to set of roles, policies, and procedures to create, manage, distribute, use, store, and revoke digital certificates for public-key encryption. As designed, PKI includes (1) a global certificate authority (“CA”) that issues and signs digital certificates, (2) a global directory authority (“DA”) that stores digital certificates and lists of revoked digital certificates, indexes the digital certificates, and delivers digital certificates to requestors, and (3) a global registration authority (“RA”) that verifies the identity of an entity (e.g., a person or organization) who requests their digital certificate to be stored at the DA.
PKI scalability is based on the assumption of a single global ‘root’ CA, whose public key is well-known and uncompromised. By storing the root CA's public key at each endpoint, each endpoint would be able to authenticate every entity participating in the PKI. Interoperability would be possible by following a certificate path to the common root key.
However, this vision of PKI never materialized. Currently, thousands of ‘root’ CAs exist, including self-signed certificates that essentially masquerade as a ‘root’ certificate. Today's PKI is synonymous with CAs only; the DA function is usually replaced by Internet search engines or disparate enterprise directory services that focus on intra-enterprise trust.
The current method for finding a root certificate is at best hit-and-miss using search query strings. Furthermore, the computer relies on a human to verify the certificate path from a certificate to a CA root. The current method for determining the revocation status of a digital certificate requires tracing through a series of reports and advisories produced by Computer Emergency Response Teams (CERT).
The current approach to PKI for the Internet is unwieldy and not positioned to scale for the Internet of Things (IoT). Predictions suggest as many as 200 billion asymmetric key pairs may be in deployment by the year 2020. Current PKI implementations appear to have significant scalability challenges both in establishing trust in digital certificates and in verification of revoked digital certificates.