In the Internetís world of insecurities, many actions should be taken to enhance the defense of each and every network. Many solutions exist that provide a level of security, none however being bulletproof. The best approach is to combine a variety of mechanisms that will supplement one another. In this article I will discuss a technology that is considered to be the new trend and a favored option among network implementers, that is Public Key Infrastructure (PKI).
In this section I will present the different types of CA architectures that are generally considered when implementing a PKI. PKI may be constructed as a:
Every architecture is distinct from the others in respect to the following:
The numbers of CAs in the PKI system
Where users place their trust (known as a user's trust point)
Trust relationships between CAs within a multi-CA PKI
A single architecture is the most basic PKI model that contains only a single (you wouldn't expect more, would you?) CA. All the users of the PKI place their trust on this CA. The CA will be responsible in handling all the users requesting a certificate. As there is only one CA, every certification path will begin with its public key.
Figure 1Single PKI Architecture
A hierarchical architecture is constructed with subordinate CA relationships. In this configuration, all users trust a single "root" CA. The root CA issues certificates to subordinate CAs only, whereas subordinate CAs may issue certificates to users or other CAs. The trust relationship is specified in only one direction. In this PKI architecture, every certification path begins with the root CA's public key.
Figure 2 Hierarchical PKI Architecture
A mesh architecture does not include only one CA that is trusted by all entities in the PKI system. CAs can be connected with cross certification creating a "web of trust" where end entities may choose to trust any CA in the PKI. If a CA wishes to impose constraints on certain trust relationships, it must specify appropriate limitations in the certificates issued to its peers.