How eduPKI works
Let’s assume that service A (i.e. eduroam) contacts eduPKI to request support on whether digital certificates are needed. eduPKI on the basis of service A's requirements proposes a digital certificate with specific characteristics for service A - the certificates' characteristics are defined in documents called Trust Profiles. The eduPKI CA issues certificates based on the defined Trust Profiles, however other NREN-operated CAs are also encouraged to do so.
The eduPKI group controls the elements in blue in the picture. TACAR is only partially under eduPKI control, being in existence before the creation of this service.