Public Key Infrastructure

Backup

en-/de-cryption keys: Yes - Dataloss
signing keys: No - Keep integrety. Exactly only 1 person or org can sgin. Arguable.

Threshold cryptography

Shamir's secret sharing: Split the secret in pieces and store them on different places

Architecture

Different keys for signing and encryption

root -> key

Timestamping

Certificate

Electronic Identity Card

Link Public Key to your name

Contains:

DN: Unique name of owner
Serial: Unique serial number
Start: start date of validity
End: end date of validity
CRL: certificate revocation list
Key: Public Key
CA DN: Uniqe name of the certificate authority that signed the certificate

OCSP

Online Certificate Status Protocol

X.509

Certificate Authority

GlobalSign WebTrust DigiSign

Registration Authority

Resources

https://jamielinux.com/docs/openssl-certificate-authority/