CertiGuide to Security+  9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)       9  4.5  Key Management and Certificate Lifecycles

4.5  Key Management and Certificate Lifecycles 1 4.5.2  Storage

When implementing a PKI scheme, you need to look at whether you require a centralized key management mechanism, in which a central authority manages keys, or whether a decentralized model, in which each individual user manages his/her own key pair, is sufficient.

A model such as the one used by PGP is decentralized, and therefore would not scale well at the enterprise level. The more users you have, the more individual sources of keys (and points of potential vulnerability) you’d have – in addition to being a high-overhead model that makes certain functions like key distribution difficult, it’s just asking for a private key compromise sooner rather than later (as an inexperienced clerk allows a tech-savvy power-user in the department unrestricted access to the file containing his private key). Without a central authority verifying user identity, you’d need to investigate each provider of a public key and satisfy yourself that they are legitimate before accepting it. What if an individual’s key has been compromised and then revoked? Using decentralized key management, you might not know about the revocation unless the user happened to email you and let you know.

Centralized key management is performed by a firm, such as VeriSign, or within an organization itself. The managing organization controls functions like the generation, escrow and status checking of keys it issues, freeing individual users from these tasks. Typically centralized key management involves the use of a Certificate Authority to issue and manage certificates (and thus keys).

4.5  Key Management and Certificate Lifecycles 1 4.5.2  Storage