A Community PKI is a family of issuers, each serving a community of interest that recognises a particular credential (certificate), all anchored by a common root CA. Each community is free to set its own rules (unlike a traditional centralised PKI which sets uniform registration rules from the top down). The community root CA only confers membership of the community of communities.
MDAV has a Certificate Policy template customised by each community CA.
Each certificate in the decentralised PKI means nothing more and nothing less than the fact that the holder is a member of the issuing community. So a fire fighter’s certificate means they are a member of the community of credentialed fire fighters, and a plice officer’s certificate means they are a member of a certain community of police officers. Each certificate is uniquely identified by the OID; certificates from different communities are (of course) not “equivalent” in any way. The fact that all MDAV certificates chain to the same root (trust anchor) only signifies that they are part of a big scalable family, and can each be interpreted in a consistent manner. The precise meaning of each certificate is set by the issuer, as is the case for any professional credential.
The diagram illustrates the community PKI as nested communities (and shows the technical detail of the certificate Object Identifiers nested under the private root OID). The structure is topologically equivalent to a hierarchy and built from commercial off-the-shelf PKI services, but there is no policy dictate.
Community PKI was implemented and proven in the MDAV project. We have subsequently advocated this design pattern for COVID vaccination certificates.