Before evaluating the relevance of Public Key Infrastructure (PKI) today, let’s first review what PKI is and how it works.
PKI is based on asymmetric cryptography or public/private key pairs where a private key belonging to a trusted 3rd party (a certificate authority, or CA) is used to sign a certificate such that assurance can be provided as to their position of authority. The certificates contain identifying data about the owner of a public key in order to prove their digital identity. Traditional PKI certificates contain data associated with individual people, and their certificates are signed by a trusted CA, with its private key. An identifying service can inspect the public key certificate, validate it is signed by a CA that it trusts and be assured they have acquired the public key of the person identified by the certificate. That public key can then be used to initiate transactions with the individual with assurance the communication is directed appropriately.
PKI has been a cornerstone of cryptographic security solutions for many years. It is one of the primary use cases for digital identities, allowing enterprises to control access to internal or external networked resources. A vast number of HSMs are deployed in enterprise datacenters around the world, or used for off-line CAs, storing the roots of trust and controlling access to the keys that sign the public key certificates tying an individual to their digital identity.
However, in the current digital age, where automatic, online, and continuous access is required, having individuals involved in the process to identify or authenticate themselves just does not work. Does this mean that PKI is no longer relevant?
No, it doesn’t! PKI remains as relevant in these new environments as it was when first deployed. However now, instead of a PKI being used to identify individuals, PKI is used to identify devices. It is still imperative a device requesting access to the network, or a resource, be identified as trusted. It remains just as important for applications to be sure they are communicating, or sharing data, with the device they want (or intend) to connect with.
The proliferation of connected devices continues unabated. In order to transfer or share data, IoT devices want to get online, communicate with each other, and interact with management systems or data repositories. These devices need identities in the same way individuals do. In the world of IoT this is called credentialing, but the goal is the same. The device identity is a public key and it can be trusted by another entity because that public key is part of a certificate that is signed by a trusted third party (the CA).
There’s no doubt PKI is changing. While it is now devices rather than human beings that need identifying, the trust relationship facilitated by a CA is as relevant today as it was 10 years ago.