Abstract
Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI) can respectively be used to support authentication and authorization in distributed scenarios. The validation of certificate chains is a critical issue in both infrastructures, because it requires several costly processes, such as certificate path discovery, validation of each certificate, and so on. The problem becomes even worst in devices with limited resources (battery, memory, computational capacity, etc.) as mobile devices. In this paper we present an architecture that reduces the communication and computational overhead of certificate status checking in a complete certificate chain. The proposed tracing of the certificates chains is based on a cascade certificate revocation policy.
This work has been supported by the Spanish Research Council under the project ARPA (TIC2003-08184-C02-02) and the European Union funded project UBISEC. We also thank both the Departament d’Universitats, Recerca i Societat de la Informació and European Social Funds that support M. Francisca Hinarejos’s PhD work.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
ITU-T Recommendation X.509, Information technology – Open Systems Interconnection – The Directory: Public Key and Attribute Certificate Frameworks (2000)
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. IETF RFC 3281 (April 2002)
Hagstrom, A., Jajodia, S., Parisi-Presicce, F., Wijesekera, D.: Revocations –a classification. In: Proceedings of 14th IEEE Computer Security Foundations Workshop, 2001 June 11-13, pp. 44–58 (2001)
Sadighi Firozabadi, B., Sergot, M.: Revocation in the Privilege Calculus. In: Proceedings of the 1st International Workshop on Formal Aspects in Security and Trust (FAST 2003), September 2003, pp. 39–51 (2003)
Popescu, B.C., Crispo, B., Tanenbaum, A.S.: A certificate revocation scheme for a large-scale highly replicated distributed system. In: Proceedings of Eighth IEEE International Symposium on Computers and Communication (ISCC 2003), pp. 225–231 (2003)
Khurana, H., Gligor, V.D.: Review and revocation of access privileges distributed with PKI certificates. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 100–124. Springer, Heidelberg (2001)
Adams, C., Farell, S.: Adams, Entrust Technologies. RFC 2510. SSE, Internet X.509 Public Key Infrastructure Certificate Management Protocols (March 1999)
Kortesniemi, Y.: SPKI Performance and Certificate Chain Reduction. In: Informatik 2002. Workshop Credential-basierte Zugriffskontrolle in offenen, interoperablen IT-Systemen, Dortmund, September 30- March10 (2002)
Pinkas, D. Bull, Housley, R.: RSA Laboratorios, Delegated Path Validation and Delegated Path Discovery Protocol Requirements. RFC 3379 (September 2002)
Lloyd, S.: PKI Forum, Understanding Certification Path Construction. White Paper (September 2002)
Elley, Y., Anderson, A., Hanna, S., Mullen, S., Perlman, R., Proctor, S.: Building Certification Paths: Forward vs. Reverse. In: Network and Distributed System Security Symposium Catamaran Resort Hotel San Diego, California, February 8-9 (2001)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure – Online Certificate Status Protocol – OCSP. RFC 2560 (June 1999)
Kocher, P.C.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)
Russell, S., Dawson, E., Okamoto, E., Lopez, J.: Virtual certificates and synthetic certificates: new paradigms for improving public key validation. Computer Communications 26(16,15), 1826–1838
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hinarejos, M.F., Forné, J. (2006). Revocation Scheme for PMI Based Upon the Tracing of Certificates Chains. In: Gavrilova, M.L., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3983. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751632_118
Download citation
DOI: https://doi.org/10.1007/11751632_118
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34077-5
Online ISBN: 978-3-540-34078-2
eBook Packages: Computer ScienceComputer Science (R0)