Businesses and governments utilize identity management systems to manage user identities across multiple systems and applications in order to ensure that unauthorized parties do not access sensitive user communications.
Certain identity management solutions rely on a system known as Private Key Infrastructures (PKI), which enables users to be authenticated to each other by confirming identities through a trusted third party entity. Each PKI user is issued both a private key, such as a code or other identifier that is known only to the user, and a public key, which is disclosed to all users. Central to a PKI system is that fact that the public key be issued by the trusted third party. For example, if user A wishes to send a sensitive message to user B, user A would use user B's public key available from the trusted third party to encrypt the message, which user B would decrypt with his private key. If public keys were not controlled by a trusted third party, however, a malicious party could publish a public key purporting to be user B, and thereby intercept messages to user B using the phony public key's private equivalent. To avoid this problem, institutions known as Certificate Authorities (CA) often serve the role of independent, trusted third parties to issue and manage identify certificates. In addition to encrypting messages (which ensures privacy), user A can authenticate himself to user B by using user A's private key to encrypt a digital certificate. When user B receives it, she can use her public key to decrypt it, verifying first with the CA that the digital certificate is valid. However, there is currently no single CA for PKI systems. Companies seeking to communicate securely with a range of different users often must utilize many different CAs, which each use their own infrastructures and rule sets. Examples of CAs include Identrus, Entrust and VeriSign.
In attempts to simplify communications between clients and various public key infrastructures and certificate authorities, others have proposed that all clients in need of PKI service implement a generic protocol for PKI-related communications. Such communications would then be translated by a central service into the protocol and format used by a destination PKI. However, certain PKI protocols have advantages and disadvantages over other PKI protocols. Thus, various entities may have legitimate desires for using specific PKI protocols based on their particular application set and user base. Similarly, adopting a generic protocol provides disincentives for making advances in PKI protocols, as changes to protocols would need wide acceptance before they are incorporated into the generic protocol. Thus, a need remains in the art for a PKI architecture that both promotes interoperability between PKI protocols while retaining the ability for PKI users to adopt, develop, and/or modify a PKI protocol that makes the most sense for the user.