Entity Authentication and Trust Validation in PKI Using Petname Systems

Recognition of identities and certainty about identity ownership are crucial factors for secure communication in digital environments. Identity Management Systems have been designed to aid users as well as organisations to manage different user identities. However, traditional Identity Management Systems are primarily designed to facilitate the management of identities from the perspective of the service provider, but provide little support on the user side to manage organisational identities. PublicKey Infrastructures (PKI) is the primary tool in aiding users to manage such identities on their sides as well as to establish trust during online transactions. Nevertheless, the complexities and difficulties involved in managing and understanding such certificates from the general public’s point of view are overlooked. This causes vulnerabilities that open up for serious attacks such as identity theft and Phishing. Petname Systems have been proposed for managing organisational identities on the user side in order to improve the user friendliness and to strengthen security. This chapter provides an analysis of the Petname Model by describing its history and background, properties, application domains and usability issues and explains how a Petname System can be effectively combined with the PKI to recognise identities and impose certainty by validating the user trust on those identities. The chapter also presents our analysis on two applications that integrate the Public Key Infrastructure with the Petname Model.

[1]  Marit Hansen,et al.  Requirements for Identity Management from the Perspective of Multilateral Interactions , 2011, Digital Privacy - PRIME.

[2]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[3]  Paul Ashley,et al.  Future Standardization Areas for Identity Management Systems , 2007 .

[4]  Audun Jøsang,et al.  Usability and Privacy in Identity Management Architectures , 2007, ACSW.

[5]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[6]  André Gallois OCCASIONAL IDENTITY: THEREBY HANGS THE TALE , 2011 .

[7]  Elie Wiesel,et al.  Indelible Shadows: The Ambiguity of Identity , 2002 .

[8]  Claudia Keser,et al.  Can We Manage Trust? , 2005, iTrust.

[9]  Stefanos Gritzalis,et al.  Digital Privacy , 2007 .

[10]  Ron Poet,et al.  A comparative analysis of Identity Management Systems , 2012, 2012 International Conference on High Performance Computing & Simulation (HPCS).

[11]  Stephen Thomas SSL and TLS Essentials: Securing the Web , 2000 .

[12]  Audun Jøsang,et al.  Trust Requirements in Identity Management , 2005, ACSW.

[13]  David W. Chadwick,et al.  Federated Identity Management , 2009, FOSAD.

[14]  Touradj Ebrahimi,et al.  Which Colors Best Catch Your Eyes: a Subjective Study of Color Saliency , 2005 .

[15]  Bruce Schneier,et al.  Ten Risks of PKI , 2004 .

[16]  R. B. Redmon,et al.  Identity , 2021, Notre Dame J. Formal Log..

[17]  Jaap-Henk Hoepman,et al.  The Identity Crisis. Security, Privacy and Usability Issues in Identity Management , 2011, ArXiv.

[18]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[19]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[20]  T. Sider Identity Over Time , 2000 .

[21]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[22]  John Linn,et al.  An Examination of Asserted PKI Issues and Pro- posed Alternatives , 2004 .

[23]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[24]  A. Jøsang,et al.  User Centric Identity Management , 2005 .

[25]  Jan Zibuschka,et al.  Privacy and Identity Management Requirements: An Application Prototype Perspective , 2011, Digital Privacy - PRIME.

[26]  Stefan Lucks,et al.  Mobile Identity Management Revisited , 2009, Electron. Notes Theor. Comput. Sci..

[27]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[28]  Eleni Kosta,et al.  The Identity Landscape , 2011, Digital Privacy - PRIME.

[29]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[30]  Audun Jøsang,et al.  Security Usability of Petname Systems , 2009, NordSec.

[31]  M. Stiegler Petname Systems , 2005 .

[32]  P. Thompson Digital Identity , 2003 .

[33]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.