The MDAV project proved the concept of decentralized community PKI.

A Community PKI is a family of certificate issuers, each serving a distinct autonomous community of interest. Certificates within a community serve a particular purpose. All certificates across the PKI chain back to a common private hardware root of trust (the private root CA) yet remain distinct. Each community CA is free to set its own rules (unlike a traditional centralised PKI which sets uniform registration rules from the top down). The community root CA confers only membership of the community of communities.

MDAV has a Certificate Policy template customised by each community CA.

Each certificate in the decentralised PKI means nothing more and nothing less than the fact that the holder is a member of the issuing community.

So a fire fighter’s certificate means they are a member of the community of credentialed fire fighters, and a police officer’s certificate means they are a member of a certain police force. Each certificate is uniquely identified by an X.500 Policy Object Identifier (OID). Unlike traditional PKI which forces homogeneous issuing rules, certificates from different branches of a Community PKI are distinct, intended to be used for different purposes.  The fact that all MDAV certificates chain to the same root (trust anchor) signifies only that they are part of one big scalable family, and can each be interpreted in a consistent manner.  The precise meaning of each certificate is set by the issuer — as is the case for any professional credential.

The diagram illustrates the community PKI as nested communities (and shows the technical detail of the certificate OIDs nested under the private root OID).

The structure is topologically equivalent to a hierarchy and built from commercial off-the-shelf PKI services, but there is no single issuing policy. The community PKI is hierarchical but not dictatorial.

 

Community PKI was implemented and proven in the MDAV project. We have subsequently advocated this design pattern for COVID vaccination certificates, presenting the architecture to the Turing Institute and Identiverse conferences.