Deploy360 5 April 2017

Introduction to PKIs & CAs paper

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

TLS badgeIf you’re looking for background information on how Public Key Infrastructures (PKIs) and Certificate Authorities (CA) support secure and private communication on the Internet, then Deploy360 has just published an overview of how these mechanisms work and how they are deployed.

There are several commonly used mechanisms for supporting secure and private communication, transaction protection and identity assertion and management. These include the so-called Internet PKI commonly used for secure web browsing but which can be used for other applications, PKI for e-mail, RPKI used by Regional Internet Registries to assert the holders of IP resources, and DNSSEC that can be used to validate DNS queries. DANE is a new protocol that uses DNSSEC to allow owners to assert their own digital certificates, and therefore potentially incorporate the functionality of the Internet PKI into the global DNS.

The Introduction to PKIs & CAs includes the following topics:

  • What is a Public Key Infrastructure?
  • How does Public Key cryptography work?
  • Why should I care about PKIs?
  • What is a CA?
  • How do I establish a publicly trusted CA?
  • What do I need to worry about?
  • What is RPKI?
  • What is DNSSEC?

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...