In a public key system, each user has a publicly known encryption key (public key) and a private key known only to that user. Messages are encrypted using the receiver's public key. When they receive it, they decrypt it using their private key.
Public key systems (sometimes implemented as public key infrastructures, or PKIs) employ a sophisticated approach to authentication that relies heavily on cryptography. Public key cryptography is often touted as a virtual panacea for e-commerce and e-government authentication and confidentiality challenges; however, implementation and deployment details are key to this technology's effectiveness, security, usability, and privacy protection. A critical component of some public key systems is a certificate authority (CA) that will certify that a particular key belongs to a particular individual. One way to implement this functionality is to use a public CA (or trusted third party) to certify keys for multiple users and organizations. This practice, however, places much control in a centralized location, raising privacy and security concerns.
The complexity of public key systems has made their ease of use and deployment a challenge. Getting the underlying cryptography right is only half the battle. Users must be educated with respect to how the systems should be used for maximum effectiveness. Certificates must be distributed securely and revoked when necessary. These systems require considerable storage, bandwidth, and computational ability. Their privacy implications depend on how they are implemented and used. The scope of the PKI (as with any authentication system) will be one determinant of how grave the attendant privacy risks are. At one end of the spectrum is a PKI designed to operate in a limited context (for example, in a single organization or for a single function), and at the other end are PKIs that attempt to provide service to a very large population for a broad set of purposes.