LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the main building blocks of a Public-Key Infrastructure (PKI)?

Registration Authority (RA), Certificate Authority (CA), Verification Authority (VA) / Directory Service, Personal Security Environment (PSE), and the consuming Security Application.

Block Role
Registration Authority (RA) Front desk — verifies the applicant's identity, collects documents, forwards the request to the CA
Certification Authority (CA) Back office — signs certificates with the CA's private key
Verification Authority (VA) Answers "is this cert still valid?" queries (OCSP responder)
Directory Service (DIR) Public repository where certificates and CRLs are published (LDAP, HTTP)
Personal Security Environment (PSE) The user-side storage for their private key — software keystore, smartcard, USB token, HSM
Security Application The thing that uses certs — browser (TLS), email client (S/MIME), VPN, code-signing tool

Why split RA and CA? Identity verification and signing are very different security boundaries. RA staff are often physically present (taking ID cards from people) — they shouldn't have access to the CA's signing key. The CA can sit in a vault, accept signed requests from the RA, sign, and publish.

PSE storage tiers (from least to most secure):

Storage Key extractable?
Soft-Token (password-encrypted file) Yes — bytes are readable from disk
Smart card / Chip card No — operations happen on-card
USB token (YubiKey, Nitrokey) No — same as smartcard
Hardware Security Module (HSM) No — server-grade, FIPS-certified

Tip: For ordinary web use, your browser's keystore (a soft-token) is fine. For code-signing or high-value certs, use a hardware token — that way even malware on your dev machine can't exfiltrate the key, only request signatures.

From Quiz: ISF / Asymmetric Cryptography | Updated: Jul 14, 2026