This paper discusses considerations for certificate issuing systems and certificate processing applications, and directory systems in environments that employ nonhierarchical public key infrastructures (PKIs). The observations and recommendations here, while applicable to almost any non-hierarchical PKI, are most relevant to situations where the establishment of interoperability among the PKIs of disparate organizations is a primary goal. They are based on our work with a PKI interoperability testbed comprised of a bridge certification authority (CA) interconnecting multiple PKIs based on CA products from several vendors. Our view is that the more sophisticated aspects of X.509 certificate issuance and processing (e.g., certificate policies and mappings, name constraints) are tools that allow the PKI to establish the limits of security interoperability between organizations [1]. Consequently, we believe that the extensions for these X.509 features should be routinely populated by certificate issuing systems, and expected and processed by certificate processing applications. The goal of the recommendations herein is to promote interoperability among the PKI relying parties, while still allowing the owning organizations to maintain security control.
[1]
Russ Housley,et al.
Internet X.509 Public Key Infrastructure Certificate and CRL Profile
,
1999,
RFC.
[2]
X Itu,et al.
Information technology-open systems interconnection-the directory: Public-key and attribute certific
,
2000
.
[3]
Tim Howes,et al.
Lightweight Directory Access Protocol (v3)
,
1997,
RFC.
[4]
Stephen Farrell,et al.
Internet X.509 Public Key Infrastructure Certificate Management Protocols
,
1999,
RFC.
[5]
Steve Hanna,et al.
Building Certifications Paths: Forward vs. Reverse
,
2001,
NDSS.