Public key infrastructures (PKI) implemented by separate organizations, such as individual federal agencies, can be combined to create a larger interconnected system, such as a government-wide, national, or international PKI. To do this, entities within each component system need a way to reliably establish an electronic path to the certification authorities that generate digital certificates for users within the other component systems.
There are three major approaches, or certification path models, for doing this. First, the trust list method relies on all components accepting a specific list of trusted certification authorities. This approach is used by web browsers. Second is the hierarchical model, in which a single “root” certification authority issues certificates to subordinate certification authorities located in each component system. Third is a mesh architecture, in which nonhierarchical links are established among certification authorities in separate components that are not subordinated to each other.