Public Key Infrastructure

PUBLICKEYINFRASTRUCTURE IMPLEMENTING HIGH-TRUSTELECTRONIC SIGNATURES DIGITAL PUBLIC INFRASTRUCTUREPOLICY NOTE SERIESDECEMBER 2024Public Disclosure Authorized © 2024 The World Bank1818 H Street NW, Washington DC 20433Telephone: +1-202-473-1000; Internet:www.worldbank.org Some rights reserved. This work is a product of The World Bank. The findings, interpretations, and conclusions expressed in this work donot necessarily reflect the views of the Executive Directors of The World Bank or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work anddoes not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respectto the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors,denominations, links/footnotes and other information shown in this work do not imply any judgment on the part ofThe World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries.The citation of works authored by others does not mean the World Bank endorses the views expressed by thoseauthors or the content of their works. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges andimmunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge,this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this workis given. Cover photo: © Shutterstock, Inc. Used with the permission of Shutterstock, Inc. Further permission requiredfor reuse. Cover Design: Duina Reyes Attribution – Please cite the work as follows: “Christopher Tullis and David Black. 2024. Public Key Infrastructure:Implementing High-Trust Electronic Signatures. © Washington, DC: World Bank.” Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, TheWorld Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: +1-202-522-2625; e-mail: pubrights@worldbank.org. TABLE OF CONTENTS Abbreviations7 About ID4D8 About KWPF8 Acknowledgments8 Executive Summary9 1.Introduction12 Digital Public Infrastructure12Key Use Cases13Legal Validity15 2.Public Key Infrastructure Fundamentals18 Public Key Cryptography18Why Do We Need an “Infrastructure”?18What Does it Take to Implement a PKI?20 3Implementing a Public Key Infrastructure23 Core Components23Hierarchical Components25Operations28PKI Interoperability: Federating Trust29Governance32Deployment Models34Sourcing38Managing Liability41Driving Adoption42Stakeholder Engagement44 4.Conclusions46 Establishing Strategic Foundations46Designing for Success46Ensuring Scalability47Promoting Adoption47 Appendices47 Appendix 1: Glossary of Key Terms49Appendix 2: Public Key Cryptography Primer53Appendix 3: The Chain of Cryptographic Trust55Appendix 4: eIDAS Governance Model57Appendix 5: PKI Operational Functions62Appendix 6: PKI Interoperability: Federating Trust68Appendix 7: Institutional Governance Arrangements78Appendix 8: Sourcing Strategies80Appendix 9: PKI Sourcing Checklist90Appendix 10: Keeping Private Keys Private: Secure Signature Creation Devices92Appendix 11: Indicative Costing94Appendix 12: Managing Liability97 List of Case Studies Case Study 1: India27Case Study 2: Brazil28Case Study 3: United States71Case Study 4: European Union73Case Study 5: International Civil Aviation Organization74Case Study 6: EU Digital COVID Certificate76Case Study 7: South Korea77Case Study 8: Estonia83Case Study 9: Saudi Arabia85Case Study 10: The Netherlands86Case Study 11: France87Case Study 12: United Kingdom88Case Study 13: Lebanon89 List of Boxes Box 1. How do digital signatures and PKI support common online interactions?13Box 2: Quantum computing21 List of Figures Figure 1: Comparison of digital and electronic signatures16Figure 2: Role of PKI in an electronic signature framework17Figure 3: Process for issuance and verification of digital signatures using PKI23Figure 4: Comparison of single-, two-, and three-tiered PKI architectures26Figure 5: PKI Governance34Figure 6: Creating a digital signature using a private key53Figure 7: Verifying a digital signature using a public key54Figure 8: Chain of cryptographic trust—simple PKI55Figure 9: Chain of cryptographic trust—tiered PKI56Figure 10: Trust framework for Qualified Trust Services under eIDAS (summary)57Figure 11: Components of a Qualified Electronic Signature58Figure 12: Trust framework for Qualified Trust Services under eIDAS (detailed view)59Figure 13: Summary of PKI federation models68Figure 14: Comparison of approaches to federating trust69Figure 15: Bridge certification70Figure 16: Illustration of a fully meshed PKI network in a cross-borde