The Public Key Infrastructure PKI(X) standards defined by IETF Public Key Infrastructure Working Group http://www.ietf.orq/html.charters/pkix-charter.html define the technology for digital certificate lifecycle, from issue to revocation. Several actors are defined in PKI RFC2510:Internet X.509 Public Key Infrastructure Certificate Management Protocols.                Certification Authority (CA)—The entity that issues digital certificates and puts its name in the issuer field of a digital certificate.        Registration Authority (RA)—A separate entity that can handle supporting tasks such as personal physical authentication, token distribution revocation reporting, name assignment, backup of key pairs etc.        
In known systems the RA and CA roles are taken by the same organization which is simple from the PKI management point of view. For instance a Service Provider SP doing critical business, such as a bank, has both roles and does the authentication in the RA role and generates the certificate in the CA role.
In known systems the Service Provider SP establishes (bootstraps) trust by registration the end user using face-to-face procedures involving physical validation of documents, filling forms with personal information and optionally requesting third-party references. In other words the Service Provider SP is forced to play the Registration Authority RA role. The cost associated with registration procedures is often rather high, but unavoidable since there are no other working solutions.
In general, the RA can be operated by a different organization that offers its registration services to one or more CA's. However there are no disclosure on how to implement such a split of Registration Authority RA and Certificate Authority CA.
WPKI is a Swedish project involving banks, operators and governmental organization (see WPKI.NET). The project is defining and specifying a secure hard identity that can be used in banking, access to 24th governmental online services, enterprise services among others. Important enablers in WPKI are: PKI, secure phone environment and SWIM. Due to previous deficiencies with soft PC-based certificates that were easy to steal by viruses.
The Liberty Alliance LA project is a business driven project with participation from more than 100 companies ranging from Internet Service providers, mobile network operators and financial institutions. The purpose is to define Digital Entity standards that allow building federations. In the most common scenario, one federation consists of an Identity Provider (IdP) that centralizes authentication and several Service Providers (SP) that delegate authentication to the IdP.
In the case of a mobile network operator (MNO) that plays the IdP role, this means that users that want to access a SP need to contact the operator each time a service is requested, authenticate with *SIM, get an authentication assertion that is then presented to the SP. This model in Liberty Alliance, however, requires that the user/subscriber has an account with the Service Provider SP, which requires that the user/subscriber has separately established a trust relation with the SP without involvement of the operator. This is sub-optimal and not user friendly Thus, centralized delegated authentication as in federated models like Liberty Alliance does not meet all market needs for all Service Providers since there are drawbacks mentioned.
Generic Bootstrapping Architecture (GBA) defined in 3GPP standard provides the mechanisms to allow applications to authenticate users making use of shared keys that a Mobile Network Operator has negotiated with the user during the Authentication and Key Agreement (AKA) procedure. GBA considers also the case where the Service Provider is a CA that issues certificates to be used by other applications. As in the Liberty case, GBA requires an independent trust relation with the SP. The SP still has to authenticate the subscriber, as the MNO acts uniquely as a key generator, and thus no authentication assertion is generated. On the other hand, the authentication carried out by the MNO in order to generate the appropriate keys is limited to AKA.
In prior art systems the concept of strong authentication is used. Due to pervasive usage of weak authentication methods, e.g. user-friendly passwords, users of Internet services have been the target of increasing fraud such as hacking, identity theft, masquerade attacks and loss of privacy. The need for stronger authentication methods has increased over time for different situations. Strong Authentication connotes a stringent level of security that combines different authentication mechanisms to validate a user's identity when accessing a software application or network. It represents a foundational element of trusted networks where multiple business partners can securely share confidential information.