Public Key Infrastructure

create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption with raidiam connect public key infrastructure (pki) facilitate secure data exchanges by empowering participants to authenticate each other's identities through certificate verification integrate external certificates into raidiam's trust framework for enhanced interoperability and trust assurance raidiam connect public key infrastructure enables organizations to facilitate dependable and secure information exchange in network communications the pki enables the data providers docid\ apm ilivcfpfft1ld0puc and data receivers docid 0icz dap0cfxtlrhddxni to communicate with each other securely by requiring a rigorous proof to confirm the participant's identity a digital certificate during the data exchange process a digital certificate is essentially an electronic document that uses a digital signature to bind a public key with an individual's identity information, such as their name or the name of an organization this certificate can confirm the identity of the certificate holder and provide the public key necessary to establish secure communications in the pki system, public keys are associated with specific organizational identities this association is formalized through registration with a registration authority and the subsequent issuance of certificates by a certificate authority sequencediagram autonumber participant dr as data recipient participant ra as registration authority participant ca as certificate authority participant va as certificate validation service participant dp as data provider dr >>ra request certificate ra >>ca request is ok par ca >>ra private key + public key + certificate ra >>dr private key + public key + certificate and ca >>va public key end dr >>dp request note over dr,dp both parties exchange their certificates dp >>va validate certificate va >>dp certificate is ok dp >>dr http 200 ok in practical terms, during a data exchange, both parties present their digital certificates to each other in a process known as a tls handshake this handshake is a part of mutual tls based client authentication methods, where the exchange of certificates helps verify the identities of the entities involved the validity of a certificate is checked by decrypting it with the public key provided by the issuing certificate authority imagine a data provider, bank a , and a data receiver, fintech b , initiating a data exchange bank a presents its digital certificate to fintech b as part of the tls handshake fintech b does the same, sharing its certificate with bank a each entity uses the other's public key to decrypt the received certificate this process confirms that the certificates are valid and that each party is indeed who they claim to be, allowing the secure exchange of information to proceed importance of pki security pki is crucial for securing communications in an organization it ensures that sensitive data transmitted over networks is encrypted and remains confidential identity verification pki facilitates the verification of digital identities, assuring that the entities involved in a transaction are who they claim to be data integrity digital signatures provided by pki ensure that data has not been tampered with during transmission compliance many regulatory frameworks require the use of pki for ensuring data protection and privacy pki components registration authority a registration authority (ra) is responsible for verifying the eligibility of the pki's participants and ensuring the accuracy of information provided during the certificate request process an ra is responsible for screening and validating the certificate request from the applicant / subscriber and deciding if it should be accepted if a certificate request is accepted, the registration authority submits the certificate request to the certificate authority for signing certificate authority a certificate authority (ca) authenticates the identity of the subscriber entities and binds them with a cryptographic key the ca manufactures digitally signs the submitted public key with its (ca's) private key and issues the digital certificate ca returns the certificate to the ra for onward transmission to the subscriber certificate validation service certificate validation services are used to verify the authenticity and validity of a digital certificate this can include checking the certificate's status (whether it's active, revoked, or expired), verifying the certificate's signatures, and ensuring the certificate was issued by a trusted certificate authority the information services are provided using open standards via online certificate status protocol (ocsp) rfc 6960 and certificate revocation list (crl) rfc 5280 key management services key management services (kms) deal with the secure lifecycle management and administration of cryptographic keys used to encrypt or digitally sign data this includes dealing with the secure generation, exchange, use, storage and replacement of keys kms encompasses key lifecycle management, key storage, and cryptographic functionality public key store public key stores (jwks) are the hosted json web key sets (jwks) for each organisation and software instance in an ecosystem the system maintains active and inactive keys at individual software and organization level which correlates to the status of the corresponding digital certificate a centrally managed and integrated public key store (in jwks format) is critical to ensuring that the ecosystem api consumers and relying parties have a single trust anchor and location to obtain the necessary public keys