PKI Architectures - Security

In this section I will present the different types of CA architectures that are generally considered when implementing a PKI. PKI may be constructed as a:

• Single architecture
• Hierarchical architecture
• Mesh architecture

Every architecture is distinct from the others in respect to the following:

• The numbers of CAs in the PKI system
• Where users place their trust (known as a user's trust point)
• Trust relationships between CAs within a multi-CA PKI

Single Architecture

A single architecture is the most basic PKI model that contains only a single (you wouldn't expect more, would you?) CA. All the users of the PKI place their trust on this CA. The CA will be responsible in handling all the users requesting a certificate. As there is only one CA, every certification path will begin with its public key.

Figure 1  Single PKI Architecture

Hierarchical Architecture

A hierarchical architecture is constructed with subordinate CA relationships. In this configuration, all users trust a single "root" CA. The root CA issues certificates to subordinate CAs only, whereas subordinate CAs may issue certificates to users or other CAs. The trust relationship is specified in only one direction. In this PKI architecture, every certification path begins with the root CA's public key.

Figure 2  Hierarchical PKI Architecture

Mesh Architecture

A mesh architecture does not include only one CA that is trusted by all entities in the PKI system. CAs can be connected with cross certification creating a "web of trust" where end entities may choose to trust any CA in the PKI. If a CA wishes to impose constraints on certain trust relationships, it must specify appropriate limitations in the certificates issued to its peers.

Figure 3  Mesh PKI Architecture