8.6. Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a security architecture introduced to provide an increased level of confidence for exchanging information over insecure networks. It makes use of the concept of public and private cryptographic keys to verify the identity of the sender (signing) and to ensure privacy (encryption).

When considering a PKI, you are confronted with a wide variety of issues:

a Certificate Authority (CA) that can issue and verify certificates, and that can work under a given hierarchy.
a Directory to hold user's public certificates.
a Database (?) to maintain Certificate Revocation Lists (CRL).
devices that interoperate with the CA in order to print out smart cards/USB tokens/whatever to securely store certificates.
certificate-aware applications that can use certificates issued by a CA to enroll in encrypted communication and check given certificates against CRL (for authentication and full Single Sign On solutions).
a Time stamping authority to digitally sign documents.
a management console from which all of this can be properly used (certificate generation, revocation list control, etc...).

Debian GNU/Linux has software packages to help you with some of these PKI issues. They include OpenSSL (for certificate generation), OpenLDAP (as a directory to hold the certificates), gnupg and openswan (with X.509 standard support). However, as of the Woody release (Debian 3.0), Debian does not have any of the freely available Certificate Authorities such as pyCA, http://www.openca.org or the CA samples from OpenSSL. For more information read the http://ospkibook.sourceforge.net/.