PKI Technologies

Browse, edit, or add to this section of the IDtrust Wiki Knowledgebase. (If you're unsure where to place your information, see Contribute Content.)

Introductions to PKI

There are a great many introductions to PKI available online (and in text books).

Newcomers to the field should be aware that PKI has shifted ground subtly since the mid 00's, rendering older introductions a ittle staid and one dimensional. In particular, "PKI 101" materials tend to focus on e-mail as an archetypal application and the task of two strangers (cryptography's comic book heros Alice and Bob) identifying and hence "trusting" one another. Modern PKI is more nuanced -- with a concern for credentials, qualifications and attributes rather than personal identity -- and involvesa plurality of different certificates for different contexts. E-mail is not a great PKI application in practice; better examples are found in special purpose B2B applications and in embedded systems. SeeCase Studies.

The original PKI Forum (the forerunner to the OASIS IDtrust Member Section) produced two "PKI Basics" papers: A Technical Perspective and A Business Perspective.

See also Robert J. Brentrup, Public Key Cryptography Demystified, Campus Technology, 4/29/2003.

The American Bar Associatin has developed a useful Digital Signature Tutorial that crosses over between technlogy and the fundamental legal issues.



PKI Derivatives


The basic idea of PKI -- which can be thought of as a coordinated suite of technlogies, standards, management processes and agreements -- has led to numerous spin off approaches. Some like SPKI ("Simple PKI") have attempted to streamline the approach at the certificate protocol level. Others have deployed the basic elements in different form factors, such as wireless.




Smartcards are not strictly speaking a derivative of PKI (many would argue that smartcards pre-date PKI), but we cover them here under derivatives for two reasons. First, PKI has become prevalent as an integrated part of most modern smartcards, including banking cards, national ID, employee ID, and health & welfare. And second, the attractive features of on-chip key generation and integrated digital signing services make smartcards an increasingly important key medium in PKI.

US Government smartcard resources


Important PKI enabled smartcard schemes



Important smartcard standards


  • FIPS 201 "Personal Identity Verification (PIV) of Federal Employees and Contractors"
  • ISO 7816 "Identification cards - Integrated circuit(s) cards with contacts"




SPKI (stands for "Simple PKI") was an effort, now defunct, to streamline traditional PKI.

The SPKI Working Group of the IETF worked in the late 1990s but was disbanded around 2001.

"The task of the SPKI working group [was] to develop Internet standards for an IETF sponsored public key certificate format, associated signature and other formats, and key acquisition protocols. The key certificate format and associated protocols [were] to be simple to understand, implement, and use. For purposes of the working group, the resulting formats and protocols [are] known as the Simple Public Key Infrastructure, or SPKI.

"The SPKI is intended to provide mechanisms to support security in a wide range of internet applications, including IPSEC protocols, encrypted electronic mail and WWW documents, payment protocols, and any other application which will require the use of public key certificates and the ability to access them. It is intended that the Simple Public Key Infrastructure will support a range of trust models.]


In the view of this author at least, the sorts of things that need simplifying in traditional PKI are not related to certificate format or key acquisition protocols. Rather, it is the needless complexity of trying to create a legal basis for general purpose identity certificates, and "stranger-to-stranger" e-business that has made orthodox PKI so difficult. Embedded PKI, with focussed applications and usage agreements, has proven to be simple without the formal low level approaches anticipated by SPKI in the late 1990s.

Some important SPKI drafts include:

RFC 2692 - SPKI Requirements. The SPKI Working Group first established a list of things one might want to do with certificates (attached at the end of this document), and then summarized that list of desires into requirements. This document presents that summary of requirements.

RFC 2693 - SPKI Certificate Theory. This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested.


Wireless PKI


WPKI is simply the deployment of public key infrastructure using private keys and cryptographic functions in wireless devices, especially mobile phones.

WPKI standards were developed by the WAP (Wireless Application Protocol) Forum, until that group merged with the Open Mobile Alliance (OMA).  

See also:






PKI methods and mechanisms



PKI Regulations & Assurance Programs


For a general overview of the context of e-signature governance, see Policy Frameworks.

A small set of representative e-signature regulation examples follow.

Prescriptive PKI jurisdictions

India: Information Technology Act - 2000

Note that Indian PKI laws prohibit chaining to offshore root CAs.

Malaysia: Digital Signatures Act - 1997


Two Tier PKI Jurisdictions and Regulators

Hong Kong's Office for the Recognition of CAs

Directive 1999/93/EC of the European Parliament on a Community framework for electronic signatures

UK: Electronic Signatures Regulations - 2002

Light touch e-signature jurisdictions


E-SIGN - Electronic Signatures in Global and National Commerce Act 2000

Australia: Electronic Transactions Act - 2000

New Zealand: Electronic Transactions Act - 2003

Singapore: Electronic Transactions Act - 1998

PKI Assurance Programs


WebTrust for CAs - of the American Institute of Certified Public Accountants is a world-wide trust mark for CAs, derived from the AICPA's more general "Webtrust" program for e-commerce sites.

The UK's tScheme is an independent, not-for-profit company providing assessment of trust service providers against Approval Profiles, in accordance with European Unionqualified e-signatures legislation.


PKI Schemes, Communities and Associations


Regional PKI Fora

Asia PKI Consortium (APKIC, formerly the Asia PKI Forum)

China PKI Forum

Japan PKI Forum

Taiwan's PKI Interoperability Management and Promotion Program


Vertical sector PKIs

Banking sector: Identrust

Trade documentation (North Asia): Pan Asia Alliance

Pharmaceutical industry: SAFE Biopharma

Australian Tertiary Education Sector PKI Project

Closed and embedded PKIs

Cable Labs set top box PKI

Skyp's Zero User Interface (ZUI) PKI (description by the Skype CSO)

Government PKIs

US Federal PKI (FPKI Steering Committee)

US Federal Bridge CA

Australian Government Project Gatekeeper

Open source PKI

Open CA Labs (formerly the Open CA Project).

PKI Standards and Protocols

PKI Standards Work

The dominant PKI-related standards can be found at the following organisations and working groups.

PKIX - the public key working group of the IETF

IETF Security Area

IETF S/MIME Mail Security (see also the Internet Mail Consortium S/MIME site)

IETF Transport Layer Security (TLS)

IEEE Standards for Public Key Cryptography

ANSI X9.79 - Financial Industry PKI Standard

RSA PKCS standards series, most of which have moved into the public domain

NIST Federal PKI Technical Working Group (now inactive)



The Major PKI Related RFCs

The chair of the IETF's PKIX Working Group once named these as the most important of their RFCs to do with public key security.

RFC3820 X.509 PKI Proxy Certificate Profile

RFC2560 Online Certificate Status Protocol - OCSP

RFC2527 X.509 Certificate Policy and Certification Practices Framework. Superseded by RFC 3647.

RFC3647 - X.509 Certificate Policy and Certification Practices Framework. Supersedes RFC 2527.

RFC2511 - Certificate Request Message Format

RFC2797 - Certificate Management Messages over CMS

RFC3039 - PKI Qualified Certificates Profile

RFC3161 - Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)

RFC3281 - An Internet Attribute Certificate Profile for Authorization.



PKI use cases

Retail Sector


Finance Sector

See Digital Notary Case Study from the OASIS PKIA TC.

BACSTEL-IP Secure Payment Submission Case Study The UK payments clearing house BACS built one of the largest PKIs in the banking sector. From the Thales case study:

"BACS (Bankers Automated Clearing System), the UK ACH service, is one of the largest and most successful money transfer organisations worldwide. Its Direct Debit and Direct Credit services process over 60m payment items in a busy day, on behalf of over 100,000 UK businesses. BACSTEL is the access mechanism used for submission of all of these payment instructions. It has been operating for over 20 years with superb reliability and efficiency, consistently exceeding all operation targets. However, the infrastructure of BACSTEL is now aging rapidly, proving more expensive than more modern alternatives to operate and lacking the flexibility to support new, innovative services.

"As the first phase of its ambitious 5 year technology renewal programme, NewBACS, BACS has introduced a replacement for this access network, called BACSTEL-IP. Rather than opting for a conservative, direct replacement strategy, BACS has devloped a truly innovative solution, using state of the art security technology to deliver a platform for dramatic improvements in the services offered to business users, substantial cost savings and, perhaps most important of all, the delivery of advanced new payment services to keep the UK at the forefront of electronic commerce developments."

Technology Overview and Updates Presentation by the Mortgage Bankers Association of America 2006, emphasising the importance of e-signatures and PKI.

See also Identrus, the worldwide private PKI for the banking industry.

Health Sector

See also Health eSignature Authority Case Study and the ClinPhone Clinical Studies Software Case Study from the OASIS PKIA TC.

Smart Patient Data - Case study report from a paryly government funded R&D project. Smart Patient Data is a simple, user friendly and secure system that uses Public Key Infrastructure and secure tokens to access records and share patient summaries over the Internet.

Business Planning for Healthcare Enterprise PKI - A slide deck from Ann Geyer and Bill Pankey, Tunitas. See also Tunitas' Healthcare PKI pages.

US Healthcare PKI Note - An original PKI Forum white paper, March 2001.

Report: EDUCAUSE - NIH PKI Interoperability Pilot Project

Peter Alterman, Russel Weiser, Michael Gettes, Kenneth Stillson, Deborah Blanchard, James Fisher, Robert Brentrup, Eric Norman

"Under mandate to adopt broad electronic business methods by October, 2003, Federal Agencies are working hard to figure out ways to put their business on-line in a way that is secure. A leading contender to make e-government secure is and trustworthy public key cryptography. At the same time, farsighted institutions of higher education have been
busy deploying PKIs and issuing digital certificates to their faculties and staffs to enable secure, electronic business with the government and with each other. These institutions wish to use their locally issued digital credentials to do electronic business with the government securely. The NIH, in turn, wishes to be able to rely on business partner issued digital credentials, thereby avoiding the cost and administrative burden of issuing and managing
electronic credentials. NIH and EDUCAUSE jointly constructed a PKI interoperability pilot
project that demonstrated the ability of the Federal Government to receive electronic forms signed with digital certificates issued by institutions of higher education. "

21 CFR Part 11 Electronic Records; Electronic Signatures - Food & Drug Administration

PKI Concerns In Healthcare Settings - Kaiser Permanente, 2000

This Tunitas report discusses issues regarding Public Key Infrastructure (PKI)
implementations in healthcare settings. It is based on the experience of Kaiser
Permanente during preliminary design of an Enterprise PKI for multiple applications.
Issues addressed include:
• Technical and operational PKI interoperability between healthcare providers,
partners, affiliates, and patients.
• Privilege management in healthcare
• Long-term storage of electronic medical records.

See also the Tunitas Group's Perspectives on Information Technology for the Health Care Industry at health PKI.



US Dept of Defense PKI Homepage

Canada: Policy for Public Key Infrastructure Management in Canada.

Advances and Remaining Challenges to Adoption of PKI - United States General Accounting Office Feb 2001

What Governors Need to Know About E-SIGN - National Governors Association, 2000

Guidance on Implementing the ESIGN Act - Office of Management and Budget 2000

US Government Smart Card Handbook - US General Services Administration

FDIC deploys smart cards and PKI -

An Overview of Public Key Certificate Support for Canada's Government On-Line - Mike Just, Treasury Board of Canada, 2003, presented to the 2nd Annual PKI Research Workshop

See also NASA PKI case study.


Australian Access Federation (AAF) "will develop and deploy an infrastructure to facilitate trusted electronic communications and collaboration within and between higher education and research institutions both locally and internationally as well as with other organizations, in line with the NCRIS objective of providing researchers with access to an environment necessary to support world-class research".

See also Australian Access Federation PKI Deployment.

PKI: A Technology Whose Time Has Come in Higher Education - Peter Alterman EDUCAUSE July 2004

EDUCAUSE - NIH PKI Interoperability Pilot Project - Peter Alterman et al 2002. A paper presented to the 1st Annual PKI Research Workshop at Dartmouth College April 2002

EDUCAUSE PKI Interoperability Project - Electronic Grant Application With Multiple Digital Signatures, Peter Alterman 2002

PKI Workshop Summary and Recommendations - Burton Group 2002. The Burton Group was retained by Cornell University to conduct a workshop into Cornell's enterprise PKI requirements and develop a set of recommendations.