Finding the PKI needles in the Internet haystack

Public key cryptography can uniquely enable trust within distributed settings. Employing it usually requires deploying a set of tools and services collectively known as a Public Key Infrastructure (PKI). PKIs have become a central asset for many organizations, due to distributed IT and users. Even though the usage of PKIs in closed and controlled environments is quite common, interoperability and usability problems arise when shifting to a broader, open environment. To make an effective trust judgment about a public key certificate, a PKI user needs more than just knowledge of that certificate: she also needs to be able to locate critical parameters such as the certificate repositories and certificate validation servers relevant to that certificate - and all the others the trust path she builds for it. Surprisingly, locating these resources and services remains a largely unsolved problem in real-world X.509 PKI deployment. This issue impacts especially on the usability of this technology and the interoperability of PKIs in open environments such as the Internet. In this paper, we present the design and prototype of a new and flexible solution for automatic discovery of the services and data repositories made available by a Certificate Service Provider (CSP). This contribution will take real-world PKI one step closer to enhancing usability of digital certificates and interoperability between PKIs.

[1]  M. Myers,et al.  Online Certificate Status Protocol-OCSP , 1999 .

[2]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[3]  Tim Howes,et al.  Lightweight Directory Access Protocol (v3) , 1997, RFC.

[4]  Jack Weast,et al.  UPnP Design by Example: A Software Developer's Guide to Universal Plug and Play , 2003 .

[5]  Erik Guttman,et al.  Service Location Protocol: Automatic Discovery of IP Network Services , 1999, IEEE Internet Comput..

[6]  Paul J. Leach,et al.  Simple Service Discovery Protocol/1.0 , 1999 .

[7]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[8]  Jim Waldo,et al.  The Jini Specification , 1999 .

[9]  Charles E. Perkins,et al.  Service Location Protocol, Version 2 , 1999, RFC.

[10]  Massimiliano Pala PKI Resource Query Protocol (PRQP) , 2009 .

[11]  David W. Chadwick,et al.  An XML alternative for performance and security: ASN.1 , 2004, IT Professional.

[12]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[13]  S. Santesson Certificate and Certificate Revocation List (CRL) Profile , 2005 .

[14]  David Cooper,et al.  Server-Based Certificate Validation Protocol (SCVP) , 2007, RFC.

[15]  C. M. Sperberg-McQueen,et al.  Extensible markup language , 1997 .

[16]  Sanjiva Weerawarana,et al.  Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI , 2002, IEEE Internet Computing.

[17]  Sean W. Smith,et al.  Extending PKI Interoperability in Computational Grids , 2008, 2008 Eighth IEEE International Symposium on Cluster Computing and the Grid (CCGRID).

[18]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[19]  Jim Schaad,et al.  Certificate Management over CMS (CMC): Transport Protocols , 2008, RFC.

[20]  Paul Vixie,et al.  A DNS RR for specifying the location of services (DNS SRV) , 1996, RFC.

[21]  Sharon Boeyen,et al.  Internet X.509 Public Key Infrastructure Repository Locator Service , 2006, RFC.

[22]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[23]  W. Keith Edwards,et al.  Core Jini , 1999 .