Next-Generation Authorization & Authentication for Zero Trust

Offline, Account-less Access Control & Delegation

With P3KI Core, managing accounts on edge devices is a thing of the past!

Instead P3KI Core precisely authorizes individual operations (e.g., read value, change setting x, update firmware, add user, ...) based on a delegable, personalized authorization proof.

P3KI Core is an identity agnostic* and transport agnostic* delegation* framework*.

Key Benefits

  • Cost reduction
    by optimizing authorization and authentication processes using edge-managed workflows.
  • Easier risk-management
    based on a precise and auditable permission delegation model.
  • Quicker incident response & forensics
    based on traceable permission chains.
  • Improved business continuity
    by decentralizaton and offline capabilities.
  • Hardening of distributed systems
    based on end-to-end implementation of Zero Trust principles.
P3KI Timeline

Over a decade in the making!

P3KI Core has been a long time coming: based on research that begun in 2006, two best-of-class diploma theses, and under active development since 2014 by a growing consortium of companies with a headcount crossing thirty.

P3KI Core is the brainchild of the internationally renowned hacker Felix 'FX' Lindner and strongly informed by decades of experience 1, 2, 3, 4, 5, 6, 7 doing cyber security consulting1 for large multi-nationals from the automotive to telecoms sector.

1999: RFC 2693

SDSI/SPKI was way ahead of its time and was soon forgotten outside academia. Despite not being aware of SDSI/SPKI during initial development of P3KI Core we've arrived at many a same conclusion. P3KI Core, while not exactly SDSI/SPKI, shares a lot of its spirit.

2006: ISO 20828

The automotive industry foresaw the need for distributed PKI to address increasingly complex maintenance scenarios as well as vehicle-to-X communication security. The standard itself is heavily influenced by the established tools available at the time (X.509) and several important technical details are noted as outside the scope of the standard.

Nevertheless, ISO 20828 was instrumental in seeding the idea that would later become P3KI Core. Today P3KI Core goes far beyond what ISO 20828 envisioned and solves all its requirements with ease.

2012: Diploma Thesis

Gregor Kopf, in his diploma thesis, layed the foundation for what would become P3KI two years later. He outlined a distributed, peer-to-peer based, highly flexible alternative PKI approach and wrote the first prototype implementation while working for Recurity Labs1.

2015: Inverted PGP Web-of-Trust

As a first proof-of-concept we've shown an alternative approach to how PGP does verification of key material. PGP let's you verify that you trust someone that trusts someone that trusts a given key to be legitimate. However, since you already have a usable key in hand and attesting someone's key at key signing events did not quite scale, this step is rarely taken.

Our prototype turned this around by doing a forward-search of the web-of-trust until it found a trusted key that was directly usable or none at all, making key verification way more robust.

2016: Autonomous Parking & Driving

With this proof of concept for a large automotive we've outlined the applicability of P3KI to vehicle-to-X scenarios, namely autonomous parking and driving. For this we've developed a table-top demonstrator based on small mobile computers wirelessly communicating with each other.

2017: Reimplementation in Rust

Due to customer demand for an embedded implementation of P3KI Core, we've decided to move away from Java. After much deliberation we've settled on Rust at a time where MISRA-C and C++ where still state of the art.

Two years later, in mid-2019 we would be proven right in our decision, when even Microsoft hailed Rust as the next big and safe systems programming language.

2019: Personal Certificates

With this proof of concept we are able to show that it's possible to use P3KI Core to digitize personal certificates, like attestations for having successfully passed a professional welding test. The resulting system is straight forward to use, protects your privacy, and fully supports offline verification for scenarios where you do not have internet connectivity at hand.

2020: The way ahead

With our partner digital.Wolff we're bringing offline capable authorization to IoT payment terminals.

We've extended our platform support to include the Xtensa Platform (ESP32) as well as WebAssembly (WASM) along side Python 3 bindings.

Work on a Kubernetes integration to allow flexible authorization of large scale Cloud deployments is underway.

We've joined the newly established Trust over IP Foundation to further the standardization effort for decentralized PKI solutions.

If you want to learn more, don't hesitate to get in touch with us for a presentation and demo!

Contact us!

Four easy steps!


We analyze your requirements and existing solutions to identify how your systems can best benefit from P3KI Core with the least impact to your existing solutions.


We design a custom Policy Language that fits your requirements like a glove and document it in a way that makes integration a breeze for your developers.

We'll also take care of customizations you wish for to make P3KI Core match your system perfectly.


The easy part for your developers: add our library or service to your solution and follow the documentation step by step to add decentralized access delegation to your solution!

Any questions along the way? We're there for you!


We're committed to offering you first class service while your P3KI Core based solution is in the field. This includes access to our latest Solution Engineering Tools to help you operate your system more easily as they become available.

The Gist

P3KI is the next generation of Public-Key Infrastructure (PKI).

We offer flexible and arbitrarily precise expression of permission levels with first-class support for mathematically proven delegation to solve authorization and authentication challenges.

Everything is verifiable even in offline scenarios; without any central infrastructure being required.

P3KI's technology augments existing protocols and services and offers a solid base for new designs.

Offline-Capable & Decentralized

Our technology offers real decentralization, not the misleading "we're highly redundant" kind of distribution.

From the day the idea was born, we designed our solution to be 100% capable of operating without any kind of central infrastructure. You can model systems comprised of decentralized, fully autonomous nodes that only communicate occasionally with a random selection of their peers.

A strongly decentralized system automatically has to be fault tolerant with regards to the availability of inter-node communication connections. Split networks, nodes only occasionally able to communicate, and nodes without network connectivity are the norm in such scenarios. P3KI's technology is designed to not only cope with these scenarios but excel at modeling them.

You can of course still model centralized systems if that's what you need.

Risk Manager's Best Friend

Access delegations between devices can be expressed with arbitrary, scenario specific expressions. This means that access is delegated not wholesale but to exact specifications and requirements.

This has two added benefits:

  1. Up front, risk management can determine the exact permission levels delegated between any arbitrary selection of devices and services, making the risk manager's job significantly easier and more precise.
  2. Should a device get compromised, the worst that could happen is what the specific device was trusted with, which is usually just exactly what that specific device needed to do and nothing else. Other solutions use generic or coarsely specified certificates that lead to higher threat impact.

P3KI's solution offers better up front risk management capabilities and also greatly reduced possibilities of lateral movement in cases of compromise.

Our Partners


Contributing Member