Abstract
Interoperability between PKIs (Public Key Infrastructure) is a major issue in several electronic commerce scenarios. A Relying Party (RP), in particular in an international setting, should not unduly put restrictions on selection of Certificate Authorities (CA) by its counterparts. Rather, the RP should be able to accept certificates issued by any relevant CA. Such acceptance implies not only the ability to validate certificates, but also an assessment of the risk related to acceptance of a certificate for the purpose at hand. We analyse common PKI trust models with respect to risk management, and argue that an independent, trusted Validation Authority (VA) may be a better approach for this task. A VA as suggested by this paper will also remove the need for complicated certificate path processing.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alterman, P., Blanchard, D., Chokani, S., Rea, S.: Bridge-to-Bridge Interoperability. In: Panel presentation at the 5th Annual PKI R&D Workshop (2006)
Backhouse, J., Hsu, C., Tseng, J., Baptista, J.: A Question of Trust – An Economic Perspective on Quality Standards in the Certification Services Market. Communications of the ACM 48(9) (2005)
British Standards Institute: Specification for Information Security Management Systems. British Standard BS 7799-2:2002 (2002)
Bundesnetzagentur: Ordinance on Electronic Signatures (2001)
Certipost: Certification Practices Statement, European IDABC Bridge/Gateway CA for Public Administrations v2.0. EBGCA-DEL-015 (2005)
Chokani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC3647 (2003)
Commission of the European Communities: Action Plan for the Implementation of the Legal Framework for Electronic Public Procurement. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions (2004)
ETSI: Electronic Signatures and Infrastructures; Policy Requirements for Certification Authorities Issuing Qualified Certificates. ETSI TS 101 456 v1.4.1 (2006)
ETSI: Electronic Signatures and Infrastructures; Policy Requirements for Certification Authorities Issuing Public Key Certificates. ETSI TS 102 042 v1.2.2 (2005)
ETSI: Electronic Signatures and Infrastructures; Provision of Harmonized Trust Service Provider Information. Draft ETSI TS 102 231 v1.2.1 (2005)
ETSI: Electronic Signatures and Infrastructures; International Harmonization of Policy Requirements for CAs Issuing Certificates. ETSI TR 102 040 v1.3.1 (2005)
EU: Community Framework for Electronic Signatures. Directive 1999/93/EC of the European Parliament and of the Council (1999)
EuroPKI Top Level Certification Authority: EuroPKI Certificate Policy, Version 1.1 (2004)
Federal PKI Policy Authority (FPKIPA): US Government Public Key Infrastructure: Cross-Certification Criteria and Methodology Version 1.3. (2006)
Federal PKI Policy Authority (FPKIPA): X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) Version 2.1. (2006)
Hallam-Baker, P., Mysore, S.H. (eds.): XML Key Management Specification (XKMS 2.0). W3C Recommendation (2005)
IDA: A Bridge CA for Europe’s Public Administrations – Feasibility Study. European Commission – Enterprise DG, PKICUG project final report (2002)
ISO: Evaluation Criteria for IT Security. ISO 15408 Parts 1-3 (1999)
ITU-T | ISO/IEC: OSI – the Directory: Authentication Framework. ITU-T X.509 | ISO/IEC 9594-8 (2001)
Jøsang, A., Knapskog, S.J.: A metric for trusted systems. In: NSA1998 – 21st National Security Conference (1998)
Kent, S.: Privacy enhancement for Internet electronic mail. Part II: Certificate-Based Key Management. RFC1422 (1993)
Lioy, A., Marian, M., Moltchanova, N., Pala, M.: The euroPKI experience. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 14–27. Springer, Heidelberg (2004)
Lopez, D.R., Malagon, C., Florio, L.: TACAR: a simple and fast way for building trust among pKIs. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 173–179. Springer, Heidelberg (2004)
López, J., Oppliger, R., Pernul, G.: Classifying Public Key Certificates. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 135–143. Springer, Heidelberg (2005)
Malpani, A.: Bridge Validation Authority. ValiCert White Paper (2001)
Maurer, U.: Modeling a public-key infrastructure. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146. Springer, Heidelberg (1996)
McBee, F., Ingle, M.: Meeting the Need for a Global Identity Management System in the Life Sciences Industry – White Paper. SAFE BioPharma Association (2005)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key In-frastructure Online Certificate Status Protocol – OCSP. RFC2560 (1999)
OASIS: Understanding Certification Path Construction. White Paper from PKI Forum Technical Group (2002)
Pinkas, D., Housley, R.: Delegated Path Validation and Delegated Path Discovery Protocol Requirements. RFC3379 (2002)
Reiter, M.K., Stubblebine, S.K.: Authentication metric analysis and design. ACM Transactions on Information and System Security 2(2), 138–158 (1999)
Ølnes, J.: PKI Interoperability by an Independent, Trusted Validation Authority. In: 5th Annual PKI R&D Workshop (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ølnes, J., Buene, L. (2006). Use of a Validation Authority to Provide Risk Management for the PKI Relying Party. In: Atzeni, A.S., Lioy, A. (eds) Public Key Infrastructure. EuroPKI 2006. Lecture Notes in Computer Science, vol 4043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11774716_1
Download citation
DOI: https://doi.org/10.1007/11774716_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-35151-1
Online ISBN: 978-3-540-35152-8
eBook Packages: Computer ScienceComputer Science (R0)