The Key Recovery Demonstration Project (KRDP) will include a Public Key Infrastructure (PKI) which consists of a root Certification Authority and several dependent Certification Authorities. The following figure shows an example infrastrucrture which illustrates three possible methods for accomplishing key recovery in a PKI environment. CAs certify the public keys of particular user communities and provide certification paths to other CAs so that public keys in other CA domains may be verified. Organization Registration Authorities (ORAs) authenticate users, validate requests, and interact with the Certification Authorities; ORAs may also request key recovery from a Key Recovery Agent (KRA). Key Recovery Agents are used to recover keys, key components, or plaintext messages upon the receipt of an authorized request. The infrastructure imposes no implementation constraints. For example, the services provided by a CA and a KRA could be included in a single product.

In method A of the example infrastructure, a key has been stored and is directly accessible by the Key Recovery Agent. In method B, key components have been stored at separate storage locations from which they may be retrieved. In method C, the Key Recovery Agent does not need to store the user's key. For example, a message header could contain a session key that has been encrypted with a key known by the Key Recovery Agent. Although the figure shows the key recovery services as being provided by a remote entity, these services can be colocated with any of the elements shown on the figure (e.g., ORA, user).