“Public Key Superstructure”

A major peer reviewed paper presented at the NIST’s 7th Symposium on Identity and Trust on the Internet, March 2008.

Home » Library » PKI » “Public Key Superstructure”

“It’s PKI Jim but not as we know it”.

This work draws together most of Stephen’s deep thinking on PKI from over a decade’s work, canvassing the reasons for PKI’s historical difficulties, popular misconceptions, and ways to break the unhelpful nexus between Big PKI and centralised ID systems.

Written paper plus conference slide handouts available below.

This paper introduces the term “Public Key Superstructure” to describe a new way to knit together existing mature PKI components to improve the flexibility, accessibility and cost of digital certificates.


While PKI has had its difficulties (like most new technologies) the unique value of public key authentication in paperless transactions is now widely acknowledged. The naïve early vision of a single all-purpose identity system has given way to a more sophisticated landscape of multiple PKIs, used not for managing identity per se, but rather more subtle memberships, credentials and so on. It is well known that PKI’s successes have mostly been in closed schemes. Until now, this fact was often regarded as a compromise; many held out hope that a bigger general purpose PKI would still eventuate. But I argue that the dominance of closed PKI over open is better understood as reflecting the reality of identity plurality, which independently is becoming the norm through the Laws of Identity and related frameworks.

This paper introduces the term “Public Key Superstructure” to describe a new approach to knitting together existing mature PKI components to improve the utility and strategic appeal of digital certificates. The “superstructure” draws on useful precedents in the security printing industry for manufacturing specialised security goods without complicated or un-natural liabilities, and international accreditation arrangements for achieving cross-border recognition of certificates. The model rests on a crucial re-imagining of certificates as standing for relationships rather than identities. This elegant re-interpretation of otherwise standard elements could truly be a paradigm shift for PKI, for it normalises digital certificates, grounding them in familiar, even mundane management processes. It will bring profound yet easily realised benefits for liability, cost, interoperability, scalability, accreditation, and governance.

IDtrust2008 Lockstep PKI Superstructure (1 0 4) Lockstep PK Superstructure NIST IDtrust 2008 HANDOUTS (1 0)