Snippet: When we at Entersekt tell people that our solution uses X.509 certificates on a mobile phone, they often reply cynically, “But PKI doesn’t scale!?” How, then, are we able to make that claim?

When we at Entersekt tell people that our solution uses X.509 certificates on a mobile phone, they often reply cynically, “But PKI doesn’t scale!?” How, then, are we able to make that claim?

There are two main reasons why public-key infrastructure (PKI) has failed to scale effectively for consumer applications. Firstly, the registration authority of the CA (certificate authority) often has stringent identity verification obligations that must be met before a user certificate can be issued. These rigorous requirements for issuance are designed to satisfy the level of trust that relying parties will place in the certificate further along the line. However, since enrolment occurs right at the beginning of the relationship between customer and organization, there is no secure environment for communications available yet. This is why onerous procedures like physical presence are required, but these procedures tend to frustrate and alienate customers.

Secondly, validating certificates for revocation at scale has proven to be difficult. PKI requires that either certificate revocation lists (CRLs – files listing all previously revoked certificates) be published to all relying parties, or that a computationally intensive Online Certificate Status Protocol (OCSP) be implemented to validate the certificates. Since neither of these alternatives looks particularly appealing, validation has also been an obstacle to deploying PKI at scale.

A whole new world

Entersekt has opted to do things differently. As per our patented emCert methodology, we issue a unique certificate to each new mobile application instance – not a traditional named certificate to the user. This unique certificate is then linked to a named identity by one organization, which establishes that link through a risk-appropriate enrolment process. The user’s identity cannot be inferred from the certificate, except by that organization – which can also leverage this ability to lessen the burden on the user to continually identify themselves. As a result, certificate revocation is in most circumstances not even necessary, since whenever trust in a certificate is jeopardized, the organization can simply break its link to the named identity, rendering the certificate unusable.

We issue an emCert to the mobile device prior to any proof of identity by the user. The upshot of this is that we can use X.509 infrastructure to implement an ID&V (identity and verification) process that satisfies both confidentiality and integrity requirements – something traditional PKI cannot do, because there, certificates are only issued after the ID&V process is completed. Our way of leveraging PKI enables a more convenient and secure enrolment process, which means more customers, faster.

Subscribe to our blog.

Niel Bester


An engineer by training, Niel has decades of experience in most facets of software development within the telecommunications and IT industries. He is passionate about product and organizational strategy and is a highly popular sounding board and source of information on trends in the market.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.