PKI as a Social and Technical System
Public Key Infrastructure is the system of trust that makes HTTPS work — not just the cryptography, but the organizational rules, audit requirements, and browser policies that determine whose signatures your computer trusts. The technical substrate is X.509 certificates. The social substrate is the CA/Browser Forum, a consortium of certificate authorities and browser vendors that sets binding rules about what certificates can be issued and how. Understanding both layers explains why HTTPS is resilient and where it can still fail.
Inside an X.509 Certificate
An X.509 certificate is a data structure that binds a public key to an identity and is signed by a certificate authority. The major fields are: version (always 3 for modern certs), serial number (unique within the CA's issuances), issuer (the CA's disting
The CA Hierarchy and Trust Anchors
Root CA certificates are self-signed and embedded in the operating system or browser trust store. When you install macOS or Chrome, you are implicitly trusting the roughly 150 root CAs included. Root CAs rarely issue certificates directly — they sign inte
Certificate Transparency Logs
Certificate transparency requires that every certificate issued by a publicly-trusted CA must be logged to one or more append-only CT logs before browsers will accept it. Each log uses a Merkle tree structure: new certificates are appended as leaves, the
Revocation: OCSP and CRL
When a certificate's private key is compromised or a certificate is issued in error, it must be revoked before expiry. Certificate Revocation Lists (CRLs) are lists published by CAs that browsers can download, but they can be megabytes in size and stale.
Go Deeper: Merkle Trees
Certificate transparency logs are append-only Merkle trees — the same data structure that makes git work and blockchains possible. The Merkle tree is the bridge between cryptographic hashing and distributed systems: it allows any party to verify that a specific item is included in a large dataset, using a proof that is logarithmic in the dataset size. Understanding Merkle trees opens the door to how distributed systems achieve verifiable integrity.
Understand Merkle Trees and Hash Chains
A deep look at the data structures that make blockchains, git, and certificate transparency possible — and the O(log n) inclusion proofs that let you verify a single entry in a billion-record log.
