Use of a Validation Authority to Provide Risk Management for the PKI Relying Party

Interoperability between PKIs (Public Key Infrastructure) is a major issue in several electronic commerce scenarios. A Relying Party (RP), in particular in an international setting, should not unduly put restrictions on selection of Certificate Authorities (CA) by its counterparts. Rather, the RP should be able to accept certificates issued by any relevant CA. Such acceptance implies not only the ability to validate certificates, but also an assessment of the risk related to acceptance of a certificate for the purpose at hand. We analyse common PKI trust models with respect to risk management, and argue that an independent, trusted Validation Authority (VA) may be a better approach for this task. A VA as suggested by this paper will also remove the need for complicated certificate path processing.

[1]  John Linn,et al.  Understanding Certification Path Construction , 2002 .

[2]  Elisa Bertino,et al.  Computer Security — ESORICS 96 , 1996, Lecture Notes in Computer Science.

[3]  Ueli Maurer,et al.  Modelling a Public-Key Infrastructure , 1996, ESORICS.

[4]  Russ Housley,et al.  Delegated Path Validation and Delegated Path Discovery Protocol Requirements , 2001, RFC.

[5]  Michael K. Reiter,et al.  Authentication metric analysis and design , 1999, TSEC.

[6]  James Backhouse,et al.  A question of trust , 2005, CACM.

[7]  Steve Kent,et al.  Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management , 1989, RFC.

[8]  日本規格協会 情報セキュリティマネジメントシステム : 仕様及び利用の手引 : 英国規格 : BS7799-2:2002 = Information security management systems : specification with guidance for use : british standards : BS 7799-2:2002 , 2002 .

[9]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 2003, RFC.

[10]  David M. Balenson,et al.  Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers , 1993, RFC.

[11]  Svein J. Knapskog,et al.  A metric for trusted systems , 1998 .

[12]  Rolf Oppliger,et al.  Classifying Public Key Certificates , 2005, EuroPKI.

[13]  Massimiliano Pala,et al.  The EuroPKI Experience , 2004, EuroPKI.

[14]  Licia Florio,et al.  TACAR: a Simple and Fast Way for Building Trust among PKIs , 2004, EuroPKI.

[15]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[16]  David W. Roberts Evaluation Criteria for IT Security , 1991, Computer Security and Industrial Cryptography.