Public Key Infrastructure (PKI)

Public key infrastructure (PKI) is the framework of certificate authorities, registration authorities, digital certificates, and protocols that enables entities to establish trust, verify identities, and encrypt communications using asymmetric cryptography.

Definition

Public key infrastructure (PKI) is the set of roles, policies, hardware, software, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption. At its core, PKI allows two parties who have never met to establish trust by relying on a mutually trusted third party—a Certificate Authority (CA)—that vouches for the binding between a public key and an identity.

The most common PKI standard is X.509, defined by ITU-T and used universally for TLS certificates, code signing certificates, email signing (S/MIME), and document signing. An X.509 certificate contains a subject (the entity being certified), a public key, an issuer (the CA), a validity period, and the CA’s digital signature over the entire structure.

Why It Matters

PKI is the trust infrastructure of the internet. Every HTTPS connection, every digitally signed email, every verified software update depends on a chain of certificates linking an entity’s public key to a trusted root CA. As of 2024, there are over 150 root CAs trusted by major browsers and operating systems, and Let’s Encrypt alone has issued over 4 billion certificates since its founding in 2015.

The scale is immense but the architecture is fragile. The compromise of a single root CA undermines trust for every certificate it has issued. DigiNotar (2011), Comodo (2011), and Symantec (2017) all experienced CA compromises or policy violations that led to their distrust by browsers. Each incident demonstrated that the hierarchical trust model—where users trust dozens of CAs they have never evaluated—creates systemic risk.

This fragility has driven two countermeasures: Certificate Transparency (which makes all certificate issuance publicly auditable) and decentralized identity systems (DIDs, Sign-In with Ethereum) that eliminate the need for CAs entirely by anchoring trust in cryptographic key pairs controlled by the user.

The PKI market was valued at $5.2 billion in 2024 (MarketsandMarkets), with growth driven by IoT device authentication, zero-trust network access, and code signing requirements for software supply chain security.

How It Works

PKI operates through a hierarchy of trust:

Root Certificate Authorities: Self-signed certificates embedded in operating systems and browsers. Root CAs are the trust anchors. Their private keys are stored in Hardware Security Modules in physically secured facilities.
Intermediate CAs: CAs certified by root CAs. Intermediate CAs issue end-entity certificates, creating a chain of trust from the end entity back to the root. This layered structure allows root CA keys to remain offline, reducing exposure.
Certificate issuance: An entity generates a key pair, creates a Certificate Signing Request (CSR) containing their public key and identity information, and submits it to a CA. The CA validates the request (domain validation, organization validation, or extended validation) and issues a signed certificate.
Certificate verification: When a client connects to a TLS-enabled server, the server presents its certificate chain. The client verifies each signature in the chain up to a trusted root, checks revocation status (via CRL or OCSP), and validates the certificate’s domain and expiration.
Certificate revocation: If a private key is compromised, the CA revokes the certificate and publishes the revocation via Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP). OCSP stapling allows the server to provide a signed revocation status, reducing latency.

Stealth Cloud Relevance

Stealth Cloud relies on traditional PKI for transport-layer security—all connections to stealthcloud.ai and api.stealthcloud.ai use TLS certificates issued by publicly trusted CAs, with full Certificate Transparency compliance. However, the authentication layer deliberately bypasses PKI’s identity model.

Instead of issuing client certificates or relying on CA-verified identities, Stealth Cloud authenticates users via Sign-In with Ethereum—a system where trust is anchored in the user’s own private key rather than in a third-party CA. The wallet signature is verified mathematically, not by checking a certificate chain. This eliminates the CA as a trust dependency for user identity, while retaining PKI where it remains necessary (TLS transport encryption).

The result is a hybrid trust model: PKI secures the channel, elliptic curve cryptography secures the identity, and no single third party can impersonate either.

The Stealth Cloud Perspective

PKI solved the problem of trust on the internet by centralizing it in certificate authorities. Stealth Cloud solves the problem of identity by decentralizing it in wallet key pairs. Both use the same mathematics—asymmetric cryptography and digital signatures—but with opposite trust architectures. PKI says “trust the authority.” Stealth Cloud says “trust the math.”