Jon A. Solworth
ABSTRACT
Authentication information is best localized. Local sources of authentication information are better able to physically identify users, provide authoritative information on them, adequately protect authentication information and infrastructure, and ato provide high quality authentication at an affordable cost.
We consider here the problem of public key authentication using a potentially large number of local Certificate Authorities (CAs). The information provided by these CAs is federated together to create a large-scale distributed authentication base. One of the key problems in doing so is certificate revocation. Efficient mechanisms are described for certificate revocation when there are many CAs and we provide some measures on their efficiency.
- Y. Elley, A. Anderson, S. Hanna, S. Mullan, R. Perlman, and S. Proctor. Building certification paths: Forward vs. reverse. In Proc. of the Symp. on Network and Distributed Systems Security (NDSS), San Diego, CA, 2001. Internet Society.Google Scholar
- Armando Fox and Eric A. Brewer. Harvest, yield and scalable tolerant systems. In Workshop on Hot Topics in Operating Systems, pages 174--178, 1999. Google ScholarDigital Library
- Seth Gilbert and Nancy Lynch. Brewer's conjecture and the feasibility of consistent, available, partition-tolerant web services. SIGACT News, 33(2):51--59, 2002. Google ScholarDigital Library
- Vipul Goyal. Certificate revocation using fine grained certificate space patitioning. In Financial Cryptography and Data Security Conference, 2007.Google ScholarCross Ref
- Peter Gutmann. PKI: It's not dead, just resting. IEEE Computer, 35(8):41--49, 2002. Google ScholarDigital Library
- Peter Gutmann. Drawing lessons. In 3rd PKI workshop, 2004. Invited talk.Google Scholar
- Paul C. Kocher. On certificate revocation and validation. In FC'98: Proceedings of the Second International Conference on Financial Cryptography, pages 172--177, London, UK, 1998. Springer-Verlag. Google ScholarDigital Library
- Leslie Lamport. Password authentication with insecure communication. Commun. ACM, 24(11):770--772, 1981. Google ScholarDigital Library
- R. Merkle. A digital signature based on a conventional encryption function. In Crypto, pages 369--378, 1987. Google ScholarDigital Library
- Silvio Micali. Efficient certificate revocation. Technical report, Massachusetts Institute of Technology, Cambridge, MA, USA, 1996. Google ScholarDigital Library
- Silvio Micali. Efficient certificate revocation. In Proceedings 1197 RSA Data Security Conference, 1997.Google Scholar
- Silvio Micali. NOVOMODO: Scalable certificate validation and simplified PKI management. In 1st PKI Workshop, 2002.Google Scholar
- Online certificate status protocol, version 2. Working document of the Internet Engineering Task Force (IETF).Google Scholar
- D.D. Redell and R.S. Fabry. Selective revocation of capabilities. In Proceedings of the International Workshop on Protection in Operating Systems, pages 197--209, August 1974.Google Scholar
- Ronald Rivest, Adi Shamir, and L. Adleman. On digital signatures and public key cryptosystems. Communications of the ACM (CACM), 21:120--126, 1978. Google ScholarDigital Library
- Ronald L. Rivest. Can we eliminate certificate revocations lists? In Financial Cryptography, pages 178--183, 1998. Google ScholarDigital Library
- Jon A. Solworth. Instant revocation. In EuroPKI'08, June 2008. available at http://www.rites.uic.edu/solworth/solworth08instantRevocation.pdf. Google ScholarDigital Library
- Jennifer G. Steiner, B. Clifford Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. In Winter 1988 USENIX Conference, pages 191--201, Dallas, TX, 1988.Google Scholar
- Stuart Stubblebine. Recent-secure authentication: Enforcing revocation in distributed systems. In Proceedings 1995 IEEE Symposium on Research in Security and Privacy, pages 224--234, May 1995. Google ScholarDigital Library
- M. Zhao and S.W. Smith. Modeling and evaluation of certification path discovery in the emerging global PKI. In Public Key Infrastructure: EuroPKI 2006. Springer-Verlag LNCS., 2006.Google Scholar
Index Terms
- Beacon certificate push revocation
Recommendations
BlockVoke – Fast, Blockchain-Based Certificate Revocation for PKIs and the Web of Trust
Information SecurityAbstractA reliable certificate revocation mechanism is crucial, as illustrated by the recent revocation of 1.7 million certificates issued by the Let’s Encrypt certificate authority. It is just as essential to get revocation information to users in an ...
RIKE: using revocable identities to support key escrow in PKIs
ACNS'12: Proceedings of the 10th international conference on Applied Cryptography and Network SecurityPublic key infrastructures (PKIs) are proposed to provide various security services. Some security services such as confidentiality, require key escrow in certain scenarios; while some others such as non-repudiation, prohibit key escrow. Moreover, these ...
Comments