Skip to main content

A search engine for the global PKI

Abstract

Today the public key technology enjoys wide acceptance and use. Countless network protocols and applications use it to guarantee strong authentication and privacy. Usability and maintainability of this technology remains problematic, however. It is still very cumbersome and time-consuming to set up an enterprise Public Key Infrastructure (PKI) that has relationships with external parties. The emergence of PKI bridges, while solving one set of problems, created a new one: management of distributed trust became much more difficult. Complexity of the global PKI mesh and its decentralized nature created a need for a service with a unified view of the global PKI. In this paper we propose a PKI search engine that can provide such a service. The engine supports facilities for certificate and certificate revocation list (CRL) discovery, testing and troubleshooting of extra-enterprise PKIs, certificate revocation status lookup, certification path construction and validation, all based on the Internet-mined and user-registered information.

References

  1. 1.

    Adams C, Lloyd S (2002) Understanding PKI: concepts, standards, and deployment considerations. Addison-Wesley, Reading

    Google Scholar 

  2. 2.

    Adams C, Just M (2004) PKI: Ten years later. In Proc of the third annual PKI R&D workshop, pp 69–84

  3. 3.

    Boeyen S, Hallam-Baker P (2006) Internet X.509 public key infrastructure repository locator service. RFC 4386, IETF

  4. 4.

    Boyce J, Sheresh B, Sheresh D (2007) Microsoft Office Outlook 2007 inside out. Microsoft Press

  5. 5.

    Brin S, Page L (1998) The anatomy of a large-scale hypertextual Web search engine. In Proc of the 7th int’l world wide web conference, pp 107–117

  6. 6.

    Cantor S, Kemp J, Philpott R, Maler E (eds) (2005) Assertions and protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS

  7. 7.

    Cooper D, Santesson S, Farrell S, Boeyen S, Housley R, Polk W (2005) Internet X.509 Public Key Infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, IETF

  8. 8.

    Cooper M, Dzambasow Y, Hesse P, Joseph S, Nicholas R (2005) Internet X.509 Public Key Infrastructure: certification path building. RFC 4158, IETF

  9. 9.

    Doraswamy N, Harkins D (1999) IPSec: the new security standard for the Internet, intranets, and virtual private networks. Prentice Hall, New York

    Google Scholar 

  10. 10.

    Doyle P, Hanna S (2003) Analysis of June 2003 survey on obstacles to PKI deployment and usage. OASIS

  11. 11.

    Elkins M, Del Torto D, Levien R, Roessler T (2001) MIME security with OpenPGP. RFC 3156, IETF

  12. 12.

    Freeman T, Housley R, Malpani A, Cooper D, Polk W (2007) Server-based certificate validation protocol (SCVP). RFC 5055, IETF

  13. 13.

    Gast M (2005) 802.11 wireless networks: the definitive guide. O’Reilly

  14. 14.

    Good G (2000) The LDAP data interchange format (LDIF) technical specification. RFC 2849, IETF

  15. 15.

    Gutmann P (ed) (2006) Internet X.509 Public Key Infrastructure operational protocols: certificate store access via HTTP. RFC 4387, IETF

  16. 16.

    Hallam-Baker P, Mysore SH (2005) XML key management specification (XKMS 2.0), version 2.0. W3C Recommendation, W3 consortium

  17. 17.

    Housley R (2004) Cryptographic message syntax (CMS). RFC 3852, IETF

  18. 18.

    Jokl J, Basney J, Humphrey M (2004) Experiences using bridge CAs for grids. Technical Report YCS-2004-380, Dept of Computer Science, University of York

  19. 19.

    Josefsson S (2006) Storing certificates in the Domain Name System (DNS). RFC 4398, IETF

  20. 20.

    Kaliski BS, Kingdon KW (1997) Extensions and revisions to PKCS #7. An RSA Laboratories Technical Note, Version 1.6. RSA Data Security Inc

  21. 21.

    Myers M, Ankney R, Malpani A, Galperin S, Adams CX (1999) 509 Internet Public Key Infrastructure: online certificate status protocol—OCSP. RFC 2560, IETF

  22. 22.

    Pala M (2009) PKI resource query protocol (PRQP). Internet draft draft-pala-prqp-04, IETF

  23. 23.

    Pala M (2010) A proposal for collaborative Internet-scale trust infrastructures deployment: the Public Key System (PKS). In Proc of the 9th symposium on identity and trust on the Internet, pp 108–116

  24. 24.

    Polk WT, Hastings NE (2000) Bridge certification authorities: connecting B2B public key infrastructures. National Institute of Standards and Technology, Geithersburg

    Google Scholar 

  25. 25.

    Ramsdell B (2004) Secure/multipurpose Internet mail extensions (S/MIME) Version 3.1 message specification. RFC 3851, IETF

  26. 26.

    Reddy R, Wallace C (2009) Trust anchor management requirements. Internet draft draft-ietf-pkix-ta-mgmt-reqs-04, IETF

  27. 27.

    Rescorla E (2001) SSL and TLS: designing and building secure systems. Addison-Wesley, Reading

    Google Scholar 

  28. 28.

    Robinson RV, Li M, Lintelman SA, Sampigethaya K, Poovendran R, von Oheimb D, Busser J-U (2007) Impact of public key enabled applications on the operation and maintenance of commercial airplanes. In Proc of the AIAA aviation technology integration, and operations (ATIO) conference

  29. 29.

    Schwartz M (2005) Scale is everything for Pentagon’s digital security. In: Enterprise Strategies Journal

  30. 30.

    Sinnreich H, Johnston AB (2006) Internet communications using SIP: delivering VoIP and multimedia services. Wiley, New York

  31. 31.

    Straub T (2005) Usability challenges of PKI. Ph.D. dissertation, Darmstadt Technical University

  32. 32.

    Walsh BM (2004) Johnson & Johnson: use of public key technology. In Proc of the summit and workshop for deploying PKI to end users in higher education

  33. 33.

    Zeilenga K (2006) Lightweight directory access protocol (LDAP) schema definitions for X.509 certificates. RFC 4523, IETF

  34. 34.

    Zhao M, Smith SW (2006) Modeling and evaluation of certification path discovery in the emerging global PKI. In Proc of the third European PKI workshop (EuroPKI), pp 16–30

  35. 35.

    Zhu L, Tung B (2006) Public key cryptography for initial authentication in Kerberos (PKINIT). RFC 4556, IETF

  36. 36.

    CertiPath LLC (2008) Cross certification ceremonies

  37. 37.

    Federal Public Key Infrastructure Policy Authority (2008) Entities that are cross-certified with the FBCA

  38. 38.

    Sun Microsystems, Inc (2004) Debugging SSL/TLS connections

  39. 39.

    ITU-T Recommendation X.509 (1997) Information technology—open systems interconnection—the directory: authentication framework

  40. 40.

    ITU-T Recommendation X.519 (2001) Information technology—open systems interconnection–the directory: protocol specifications

  41. 41.

    SAFE-BioPharma Association (2008) Issuers and cross certification

  42. 42.

    Netcraft (2008) Netcraft secure server survey, January 2008. http://www.netcraft.com/

  43. 43.

    The OpenSSL project (2009) OpenSSL change log

  44. 44.

    OWASP (2005) A guide to building secure Web applications and Web services 2:0

  45. 45.

    PGP Corp (2008) PGP desktop email quick start guide, version 9:8

  46. 46.

    The Open Group (2005) S/MIME secure messaging architecture, version 1:0

  47. 47.

    TACAR (2008) TACAR: TERENA academic CA repository

  48. 48.

    Cygnacom Solutions, Inc (2007) Webcullis configuration manual

  49. 49.

    W3 Consortium (2008) XML signature syntax and processing, 2nd edn. W3C recommendation

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Paul Rabinovich.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Rabinovich, P. A search engine for the global PKI. J Internet Serv Appl 1, 83–93 (2010). https://doi.org/10.1007/s13174-010-0009-4

Download citation

Keywords

  • Public Key Infrastructure
  • PKI mesh
  • X.509 certificate
  • Certification authority
  • Certification path discovery and validation
  • Certificate discovery