Terena Title Logo  
decoration line

navigation button: home navigation button: programme navigation button: meetings navigation button: social navigation button: registration navigation button: venue navigation button: credits navigation button: contacts navigation button: sponsorship navigation button: search
decoration line

TERENA Logo small


PKI has been developed to solve the growing needs for security and trust assurances. PKI is used to support authenticated, secure communications and authorizations between partners. The PKI concept finally allows secure communication, commerce and access to be achieved over the open Internet. However, the ideal concept of global PKIs and the development of PKIs are not consistent. PKI deployment has not become ubiquitous nor has it been fully utilized; PKIs are deployed in closed, disjoint islands. This means that intra-organizational communications may be secure but secure inter-organizational communications fail because trust paths cannot be constructed between segregated PKIs. There have been new developments to connect disjoint PKIs, namely cross-certificates and Bridge CAs. However, these solutions continue to compound another underlying PKI issue: complexity. Unfortunately, this complexity is not solved by the infrastructure, instead, it is continually forced upon every application that wishes to make use of PKI functionality. The main complexities are certificate path construction and validation, and retrieval of certificates. Therefore, all PKI-aware applications must support complex trust logic and access a multitude of repositories via different access protocols. This leads to longer application development times, increased costs, the need for powerful client platforms and client configuration.
In response to the above issues, we introduce the concept of a PKI Server, a service that moves these complexities and requirements from clients to a server. The PKI Server may play varying roles depending on the trust level and capabilities of the client. It may validate certificates and signatures, in which case the client must completely trust the server. On the other hand, a client may have sufficient resources to validate a certificate path and only use the PKI Server to construct the path. In this case, the client need not have any trust in the PKI Server. In order to control the validation process, a client references a validation policy in each validation request sent to the PKI Server. A validation policy is used to specify trust anchors, revocation checks and constraints of the constructed certificate path. Using a reference to a server-stored validation policy allows an administrator to centrally create and modify the validation policies. This allows a client to simply specify the appropriate, pre-configured validation policy reference, depending on the validation context. For example, a client may need to reference a different validation policy when validating the signature on a high value contract compared to when validating a signature on a low value transaction.
The goals of this concept are to allow broader adoption of PKI by simplifying client applications, reducing administrative management and linking PKIs together. This is achieved by using a thin client and client-server architecture, thus limited-resource devices, such as PDAs and mobile phones, may utilize PKI. Furthermore, administrative management is reduced since clients only need minimal configuration and any changes to PKI structures, repositories, or protocols are updated on the PKI Server and not visible to the client. Finally, PKI Servers will forge connections between isolated PKIs because PKI Servers will be interconnected with other organizational PKI Servers which will allow certificates and revocation information to be accessed across PKIs. Thus, secure inter-organizational communications, spanning across PKIs, will be achieved.
The presentation will outline the technical components developed within the project, mainly the feature o the PKI server, and will show how this technology has been used for identification purposes in a mobile roaming network context in a common Project with an industry partner in Japan.



This presentation is part of session "Recent Results II" which starts at Monday, June 7 @ 16:00


Home | Programme | Meetings | Social | Registration | Venue | Credits | Contacts | Sponsorship | Search back to top
Last modified on the 15th 2004f June 2004 - 12:35