A Flexible Management Framework for Certificate Status Validation

Public key cryptography is widely recognised as the technology to develop effective authentication, integrity, confidentiality and non-repudiation services. The provision of public key-based security services for complex and large scale organisations requires a Public Key Infrastructure (PKI) in charge of securely managing cryptographic keys/certificates. An essential PKI service is the certificate status validation (CSV) system that supports the publishing and the consistent usage of certificate status information for wide range of applications. Several CSV solutions, such as Certificate Revocation Lists or the On-line Certificate Status Protocol, are available, but none can meet the requirements for all applications, in particular of timeliness and performance. The lack of a comprehensive CSV solution calls for the development of a flexible framework that can integrate all available validation mechanisms and permit the selection of alternative validation strategies, depending on application requirements. The paper describes this framework that provides PKI users with a flexible, dynamic and transparent CSV support. In addition, the paper claims that the framework flexibility, dynamicity and transparency can greatly benefit from the adoption of the Mobile Agent (MA) technology because it exhibits the same intrinsic features, by presenting an MA-based prototype for CSV.

[1]  Gian Pietro Picco,et al.  Understanding code mobility , 1998, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[2]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[3]  David W. Chadwick,et al.  Merging and extending the PGP and PEM trust models-the ICE-TEL trust model , 1997, IEEE Netw..

[4]  R. Perlman,et al.  An overview of PKI trust models , 1999, IEEE Netw..

[5]  William Stallings Network and Internetwork Security: Principles and Practice , 1994 .

[6]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[7]  Fred B. Schneider,et al.  NAP: practical fault-tolerance for itinerant computations , 1999, Proceedings. 19th IEEE International Conference on Distributed Computing Systems (Cat. No.99CB37003).

[8]  Barbara Fox,et al.  Certificate Recocation: Mechanics and Meaning , 1998, Financial Cryptography.

[9]  Barbara Fox,et al.  Online Certificate Status Checking in Financial Transactions: The Case for Re-issuance , 1999, Financial Cryptography.

[10]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[11]  Antonio Corradi,et al.  Mobile Agents Integrity for Electronic Commerce Applications , 1999, Inf. Syst..

[12]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  Antonio Corradi,et al.  A secure and open mobile agent programming environment , 1999, Proceedings. Fourth International Symposium on Autonomous Decentralized Systems. - Integration of Heterogeneous Systems -.

[15]  Carlisle Adams,et al.  A General, Flexible Approach to Certificate Revocation , 1998 .

[16]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[17]  Danny B. Lange,et al.  Programming and Deploying Java¿ Mobile Agents with Aglets¿ , 1998 .

[18]  Warwick Ford,et al.  Secure electronic commerce , 1997 .

[19]  Michael Myers Revocation: Options and Challenges , 1998, Financial Cryptography.

[20]  Patrick McDaniel,et al.  Windowed Key Revocation in Public Key Infrastructures , 2000 .