What Is Public Key Infrastructure (PKI)?

Public key infrastructure, or PKI, is the cryptographic foundation that makes verifiable digital credentials possible. It provides the system of keys, certificates, and protocols that allow credentials to be signed by issuers and verified by anyone without requiring a direct integration between issuer and verifier (except, in some designs, for optional certificate or credential status checks).

How does PKI work?

PKI uses asymmetric cryptography, which relies on pairs of mathematically linked keys. Each issuer maintains two keys: a private key known only to the issuing authority, and a public key that anyone can use to verify signatures.

Only the private key can create a digital signature. Only the public key can confirm the signature's validity. The mathematical relationship between the two keys makes it computationally impossible to derive the private key from the public one. This asymmetry is what makes the system secure.

When a DMV issues a mobile driver's license, it applies a digital signature using its private key, a cryptographic stamp saying "I authorize this credential." When you later present that credential to a bank, the bank checks the signature using the DMV's public key. If the signature validates, the bank can cryptographically verify that the credential was signed by the DMV’s private key and that the signed data hasn’t been altered since issuance.

Why does PKI matter for digital identity?

PKI solves a fundamental problem in digital identity: how can a verifier trust a credential without contacting the issuer every time? The answer is cryptographic proof.

With PKI, trust doesn't require a phone call, a database lookup, or a direct integration between the DMV and the bank. The credential itself carries the proof. The DMV's signature is embedded in the credential, and any verifier with access to the DMV's public key can instantly confirm authenticity.

This enables verification at scale. A single DMV can issue millions of credentials, and millions of verifiers can check those credentials independently, without creating bottlenecks or privacy-invasive tracking systems.

Certificates and authenticity

Public keys must be distributed to verifiers so they can check signatures. But how does a verifier know that a public key truly belongs to a legitimate issuer? This is where digital certificates come in.

A digital certificate binds a public key to an identity, confirming, for example, that a particular public key belongs to the California DMV. Certificates are issued by certificate authorities (CAs) that vouch for the relationship between keys and identities.

Certificates act like passports for cryptographic systems. When a verifier receives a credential, they can check the certificate to confirm who issued it. An imposter claiming to be "State of Clafornya DMV" would be immediately rejected because they wouldn't have a valid certificate.

PKI in practice

PKI isn't new, it has secured internet commerce, email, and government systems for decades. The same infrastructure that enables HTTPS and puts the padlock icon in your browser is now being applied to digital identity.

For mobile driver's licenses, PKI ensures that credentials can be verified offline, using preloaded public keys, without requiring network connectivity. In ISO/IEC 18013-5 style presentations, verification can be performed locally using issuer public keys (or certificates) distributed through trusted channels. Whether a verifier operates fully offline or uses network-assisted checks depends on the deployment and risk requirements.

PKI also enables revocation. If a credential needs to be invalidated, for example, a driver's license is suspended, the issuer can publish that information to a revocation list. Verifiers check not only the signature but also whether the credential remains valid.

The invisible infrastructure of trust

PKI operates invisibly behind every verifiable digital credential. Users never see the cryptographic operations happening when they present an mDL. Verifiers simply see a green checkmark indicating the credential is authentic. But underneath that simple interface, PKI provides the mathematical foundation that makes digital identity trustworthy, scalable, and secure.