Public Key Infrastructure
Create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption with Raidiam Connect Public Key Infrastructure (PKI). Facilitate secure data exchanges by empowering participants to authenticate each other's identities through certificate verification. Integrate external certificates into Raidiam's Trust Framework for enhanced interoperability and trust assurance.
Raidiam Connect Public Key Infrastructure enables organizations to facilitate dependable and secure information exchange in network communications. The PKI enables the Data Providers and Data Receivers to communicate with each other securely by requiring a rigorous proof to confirm the participant's identity - a digital certificate - during the data exchange process.
A digital certificate is essentially an electronic document that uses a digital signature to bind a public key with an individual's identity information, such as their name or the name of an organization. This certificate can confirm the identity of the certificate holder and provide the public key necessary to establish secure communications. In the PKI system, public keys are associated with specific organizational identities. This association is formalized through registration with a registration authority and the subsequent issuance of certificates by a certificate authority.
In practical terms, during a data exchange, both parties present their digital certificates to each other in a process known as a TLS handshake. This handshake is a part of mutual TLS-based client authentication methods, where the exchange of certificates helps verify the identities of the entities involved. The validity of a certificate is checked by decrypting it with the public key provided by the issuing certificate authority.
Imagine a Data Provider, Bank A, and a Data Receiver, Fintech B, initiating a data exchange. Bank A presents its digital certificate to Fintech B as part of the TLS handshake. Fintech B does the same, sharing its certificate with Bank A. Each entity uses the other's public key to decrypt the received certificate. This process confirms that the certificates are valid and that each party is indeed who they claim to be, allowing the secure exchange of information to proceed.
- Security: PKI is crucial for securing communications in an organization. It ensures that sensitive data transmitted over networks is encrypted and remains confidential.
- Identity Verification: PKI facilitates the verification of digital identities, assuring that the entities involved in a transaction are who they claim to be.
- Data Integrity: Digital signatures provided by PKI ensure that data has not been tampered with during transmission.
- Compliance: Many regulatory frameworks require the use of PKI for ensuring data protection and privacy.
A Registration Authority (RA) is responsible for verifying the eligibility of the PKI's participants and ensuring the accuracy of information provided during the certificate request process.
An RA is responsible for screening and validating the certificate request from the applicant / subscriber and deciding if it should be accepted. If a certificate request is accepted, the Registration Authority submits the certificate request to the Certificate Authority for signing.
A Certificate Authority (CA) authenticates the identity of the subscriber entities and binds them with a cryptographic key. The CA manufactures -- digitally signs the submitted public key with its (CA's) private key -- and issues the digital certificate. CA returns the certificate to the RA for onward transmission to the subscriber.
Certificate Validation Services are used to verify the authenticity and validity of a digital certificate. This can include checking the certificate's status (whether it's active, revoked, or expired), verifying the certificate's signatures, and ensuring the certificate was issued by a trusted Certificate Authority.
The information services are provided using open standards via Online Certificate Status Protocol (OCSP) RFC 6960 and Certificate Revocation List (CRL) RFC 5280.
Key Management Services (KMS) deal with the secure lifecycle management and administration of cryptographic keys used to encrypt or digitally sign data. This includes dealing with the secure generation, exchange, use, storage and replacement of keys. KMS encompasses key lifecycle management, key storage, and cryptographic functionality.
Public Key Stores (JWKS) are the hosted JSON Web Key Sets (JWKS) for each organisation and software instance in an ecosystem. The system maintains active and inactive keys at individual software and organization level which correlates to the status of the corresponding digital certificate.
A centrally managed and integrated Public Key Store (in JWKS format) is critical to ensuring that the ecosystem API consumers and relying parties have a single trust anchor and location to obtain the necessary public keys.