PKI past, present and future

  • Antonio Lioy
  • Marius Marian
  • Natalia Moltchanova
  • Massimiliano Pala
Special Issue Paper

Abstract

This paper discusses some design and management issues in running an open PKI, based on the experience gained in the day-by-day operation of the EuroPKI infrastructure. The problems are discussed with an historical perspective that includes real-life lessons learnt in EuroPKI about certification practices, services and applications. User-reported problems are also discussed to identify problems that hamper large scale adoption of public-key certificates. The article closes with a general outlook for the field and the description of the future EuroPKI plans.

Keywords

PKI OCSP Public-key certificates 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adams, C., Cain, P., Pinkas, D., Zuccherato, R.: Time-Stamp Protocol (TSP), RFC-3161 (August 2001)Google Scholar
  2. 2.
    Adams, C., Farrell, S.: Internet X.509 Public Key Infrastructure Certificate Management Protocols, RFC-2510 (March 1999)Google Scholar
  3. 3.
    AIPA: CIRCOLARE 19 giugno 2000 n. AIPA/CR/24 (2000) Italian MIT Website, http://www.innovazione.gov.it
  4. 4.
    Alvestrand, H.: IETF Policy on Character Sets and Languages, RFC-2277 (January 1998)Google Scholar
  5. 5.
    Adams, C., Sylvester, P., Zolotarev, M., Zuccherato, R.: Data Validation and Certification Server Protocols, RFC-3039 (February 2001)Google Scholar
  6. 6.
    Blunk, L., Vollbrecht, J.: PPP Extensible Authentication Protocol (EAP), RFC-2284 (March 1998)Google Scholar
  7. 7.
    Chokhani, S., Ford, W.: Certificate Policy and Certification Practices Framework, RFC-2527 (March 1999)Google Scholar
  8. 8.
    Ellison, C., Schneier, B.: Ten risks of PKIs: what you're not being told about public key infrastructure. Comput. Security J. XVI (2000)Google Scholar
  9. 9.
    EuroPKI Certificate Policy – Version 1.1. EuroPKI website, http://www.europki.org
  10. 10.
    Federal Bridge Certification Authority, http://csrc.nist.gov/pki/fbca/welcome.html
  11. 11.
    GSI working group of the Global Grid Forum, http://www.gridforum.org/2_SEC/GSI.htm
  12. 12.
    Guida, R., Stahl, R., Bunt, T., Secrest, G., Moorcones, J.: Deploying and using public key technology: lessons learned in real life. IEEE Security Privacy 2(4), 67–71 (2004)CrossRefGoogle Scholar
  13. 13.
    Gutmann, P.: PKI: It's not dead, just resting. IEEE Comput. 35(8), 41–49 (2002)Google Scholar
  14. 14.
    Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, RFC-2459 (January 1999)Google Scholar
  15. 15.
    Housley, R., Polk, W., Ford, W., Solo, D.: Certificate and Certificate Revocation List (CRL) Profile, RFC-3280 (April 2002)Google Scholar
  16. 16.
    IEEE 802.11 working group, http://grouper.ieee.org/groups/802/11/
  17. 17.
    IEEE Std. 802.11a-1999(R2003), Supplement to IEEE Std. 802.11-1999, High-speed Physical Layer in the 5 GHz band, ISO/IEC 8802-11:1999/Amd 1:2000(E) (June 2003). http://standards.ieee.org/getieee802/download/802.11a-1999.pdf
  18. 18.
    IEEE Std. 802.11b-1999/Cor1-2001, Amendment 2 to IEEE Std. 802.11-1999, Higher-speed Physical Layer (PHY) extension in the 2.4 GHz band–Corrigendum1, SS94952 (November 2001). http://standards.ieee.org/getieee802/download/802.11b1999_Cor1-2001.pdf
  19. 19.
    IEEE Std. 802.11gtm-2003, Amendment 4 to IEEE Std. 802.11-1999, Further Higher-Speed Physical Layer Extension in the 2.4 GHz Band, SS95134 (June 2003). http://standards.ieee.org/getieee802/download/802.11g-2003.pdf
  20. 20.
    IEEE Std. 802.1X-2001, Port-Based Network Access Control, ISBN-0-7381-2927-5 (June 2001). http://standards.ieee.org/getieee802/download/802.1X-2001.pdf
  21. 21.
    IETF PKIX (Public-Key Infrastructure based on X.509) working group, http://www.ietf.org/html.charters/pkix-charter.html
  22. 22.
    Iliadis, J., Gritzalis, S., Spinellis, D., de Coc, D., Preneel, B., Gritzalis, D.: Towards a framework for evaluating certificate status information mechanisms. Comput. Commun. 26(16), 1839–1850 (2003)CrossRefGoogle Scholar
  23. 23.
    ISO/IEC: Information Technology – Universal Multiple-Octet Coded Character Set (UCS). Part 1: Architecture and Basic Multilingual Plane (May 1993) with amendmentsGoogle Scholar
  24. 24.
    Kent, S.: Privacy Enhancement for Internet Electronic Mail. Part II: Certificate-Based Key Management, RFC-1422 (February 1993)Google Scholar
  25. 25.
    Lioy, A., Marian, M., Moltchanova, N., Pala, M.: The EuroPKI experience. In: Proceedings of the First European Workshop on Public-Key Infrastructures, Samos Island, Greece, June 25–26, LNCS, vol. 3093 pp. 14–27. Springer Verlag, Berlin (2004)Google Scholar
  26. 26.
    Malpani, A., Housley, R., Freeman, T.: Simple Certificate Validation Protocol (SCVP), IETF Draft, PKIX working group (October 2003)Google Scholar
  27. 27.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: Online Certificate Status Protocol – OCSP, RFC-2560 (June 1999)Google Scholar
  28. 28.
    NIST: Public Key Interoperability Test Suite (PKITS), http://csrc.nist.gov/pki/testing/x509paths.html
  29. 29.
    Policy of the TERENA Academic CA Repository (TACAR), https://www.tacar.org/docs/tacar-policy-v1.01.pdf
  30. 30.
    Polk, W.T., Hastings, N.E.: Bridge Certification Authorities: Connecting B2B Public Key Infrastructures, NIST (September 2000)Google Scholar
  31. 31.
    Ramsdell, B.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, RFC-3851 (July 2004)Google Scholar
  32. 32.
    RSA Laboratories: PKCS#11: Conformance Profile Specification, Version 2.11 (October 1, 2000)Google Scholar
  33. 33.
    RSA Laboratories: PKCS#12: Personal Information Exchange Syntax Standard, Version 1.0 (June 24, 1999)Google Scholar
  34. 34.
    Shiller, J.I.: The MIT CA experience. Proceedings of the 61st Internet Engineering Task Force, Washington, DC, USA (November 2004). http://www1.ietf.org/proceedings_new/04nov/slides/easycert-0.pdf
  35. 35.
    Spencer, J.: The Federal PKI – Looking Forward, http://www.cio.gov/fpkisc/presentations/hhsbrief.ppt
  36. 36.
    TACAR: TERENA Academic CA Repository, http://www.tacar.org
  37. 37.
    TERENA AACE Task Force: Authentication, Authorisation Coordination for Europe, http://www.terena.nl/tech/task-forces/tf-aace/
  38. 38.
    The Challenge PKI project, http://www.jnsa.org/mpki/
  39. 39.
    The European Policy Management Authority for Grid Authentication in e-Science, http://www.eugridpma.org/
  40. 40.
    The International Grid Federation, http://www.gridpma.org/
  41. 41.
  42. 42.
    The OpenCA project, http://www.openca.org
  43. 43.
    The PKI challenge project, http://www.eema.org
  44. 44.
    Tuecke, S., Engert, D., Foster, I., Welch, V., Thompson, M., Pearlman, L., Kesselman, C.: Internet X.509 Public Key Infrastructure Proxy Certificate Profile, IETF Draft, PKIX working group (May 2003)Google Scholar
  45. 45.
    Urien, P., Farrugia, A.J., Groot, M., Pujolle, G., Abellan, J.: EAP-Support in Smartcard, IETF Draft, 2003, http://www.globus.org/security/standards/draft-ietf-pkix-proxy-06.txt
  46. 46.
    Weider, C., Preston, C., Simonsen, K., Alvestrand, H., Atkinson, R., Crispin, M., Svanberg, P.: The Report of the IAB Character Set Workshop held 29 February–1 March, 1996, RFC-2130 (April 1997)Google Scholar
  47. 47.
    Yergeau, F.: UTF-8, A Transformation Format of ISO 10646, RFC-2279 (January 1998)Google Scholar

Copyright information

© Springer-Verlag 2005

Authors and Affiliations

  • Antonio Lioy
    • 1
  • Marius Marian
    • 1
  • Natalia Moltchanova
    • 1
  • Massimiliano Pala
    • 1
  1. 1.Dipartmento di Automatica e InformaticaPolitecnico di TorinoTorinoItaly

Personalised recommendations