PKI

PKI binds identities to public keys through certificates issued by Certificate Authorities; trust flows from a self-signed root CA, through intermediate CAs, down to end-entity certificates — the chain of trust. When a key is compromised or a certificate must be retired early, revocation is published via Certificate Revocation Lists (CRLs) or checked in real time with OCSP.