Conventional Public Key Infrastructure (PKI) systems are centralized (one big server). This leads to issues with scalability and management (the Registration Authority (RA) is “too far removed” from the applicants for client certificates). No one would try to create a single giant Domain Name System (DNS) Server that could provide mapping of domain style nodenames (FQDNs) to IP addresses for the entire Internet. No one node could handle the bandwidth or processing requirements. The “one big server” approach can handle the volumes for server certificates (a few million), but each secure server might have thousands or even millions of users, each of which requires a unique client certificate. The volume of client certificates could be several orders of magnitude greater than that of server certificates—too large to handle from a single big server. Validating information for server certificates is also simpler than validating information for client certificates, and is best done “near” to the applicants (e.g. by an organization for its employees or customers).
Conventional PKIs systems are also mostly based on web protocols. This introduces security and reliability issues (due to dependence on web browsers and servers and the nature of Hypertext Transfer Protocol (HTTP)), as well as usability (too many complicated manual procedures that require knowledge of PKI and cryptography). Due to the large number of deployed legacy web based products, it is difficult to require (or even implement) recent security standards (like Transport Layer Security (TLS) v1.2), leading to vulnerabilities for which solutions already exist.
DNS worked fairly well for the IPv4 Internet, providing name resolution for mostly static servers. Even with Domain Name System Security Extensions (DNSSEC) (digital signing of all resource records), it is having more and more serious security issues. Again, the large installed base of DNS makes such improvements very difficult (after 15 years, DNSSEC is still not widely deployed, and most client software cannot make use of its new information). It is not very responsive (new information may take 24-48 hours to become available globally). This is a problem for highly mobile IPv6 nodes (like phones or tablets), that might change IP address multiple times in a single day. It also has no integrated user directory, hence no per-user authentication. Dynamic registration is difficult and completely unsecured.