Public key infrastructure is a term commonly used in cryptography, to describe the general arrangement of the public keys, in relation to their respective identities by use of the certificate authorities. It is a process made possible through two phases; the first phase being registration and then the issuance phase follows. Public key infrastructure as a process can either be carried out by software entirely or under the guidance of a human factor depending on the level of security desired. There also can be a third party to the process known as the validation authority who steps in when the certificate authority bearer is unavailable. The main aim of a public key infrastructure is to ensure the achievement of non-repudiation. This is made possible by the registration authority that ensures responsibility from the individual to whom a public key is bound (Schmeh, 2003).
Generally saying, a PKI is the system through which the digital signatures are allocated to individuals, to enhance secure communication over a network prone to the public. This is in a bid to ensure confidentiality and security of the data and information shared across this network. A PKI does not only create and distribute the digital signatures; it also stores them as entities for use when required. This is to ensure accountability of the owners of the digital signatures, just like the handwritten signatures (Schmeh, 2003).
There are a number of components that together make up a public key infrastructure. As stated earlier, there is the certificate authority responsible for issuance and verification of the certificates, the registration authority for authentication of the CA users, a central storage for the entities, a management system that keeps track of the certificates and also a set of policies and standards that govern the use of the entire public key cryptography system.
As concerns, the adoption and implementation of a PKI, an organization may decide to either use an in house certification authority or outsource one. Both options come with their advantages and limitations. For instance, in the case of an in-house CA, the concerned organization enjoys full control of the system. However, research indicates that this is a costly move as it will call for licensing costs, maintenance fees and other extra fees that may be needed to support the system into full functionality. This may prove overly expensive to the organization (Vacca, 2004).
Equally, outsourcing has its advantages and limitations. The cost effectiveness of public certification authorities is what tends to attract most organizations into adopting them. This is so because the organization will not incur any hardware and software expenses, and also there will be no need to hire staff as this could have already been done by the owner company. However, liability stands out as the main challenge. In this context, liability is in terms of the failures that could be experienced by the adopting organization. It is not an easy task to quantify the extent to which a supplier may willingly take responsibility of potential failures. This, therefore, calls for companies to make an informed decision on whether or not to outsource or to use an in-house CA (Vacca, 2004).Based on the arguments above, I could recommend an in-house implementation for a company. Far from being an expensive option, it gives a great assurance of security, and the company takes responsibility of any possible failure. An in-house implementation is also perfectly understood by the staff that will always be readily available to offer help when needed. An in-house PKI implementation also saves the company so much harm, as opposed to the public CA where the supplier’s failure means the clients’ failure (Schmeh, 2003).
References
Schmeh, K. (2003). Cryptography and public key infrastructure on the Internet. Chichester, West Sussex, England: Wiley.
Vacca, J. R. (2004). Public key infrastructure: building trusted applications and Web services. Boca Raton, Fla.: Auerbach Publications.
