Abstract
Many cryptographic security protocols make use of public key cryptography and corresponding public key certificates. In addition, it is possible and very likely that e-commerce applications will make heavy use of attribute certificates to address authorization. Against this background, this article overviews and briefly discusses the issues that suround the management of (public key and attribute) certificates in a corporate environment. In particular, the article introduces the topic, elaborates on possibilities to establish a corporate public key infrastructure (pki), overviews and briefly discusses the current offerings of two exemplary certification service providers, addresses the problems related to certificate revocation and authorization, and draws some conclusions. Further information about the topic can be found in Chapter 8 of [I].
Résumé
La plupart des protocoles de sécurité reposent sur les algorithmes à clé publique qui à leur tour nécessitent l’existence des mécanismes de certification de clés publiques. Outre la certification existante qui garantit l’identité des parties, les applications de commerce électronique nécessitent des certificats étendus qui traitent aussi le problème de l’autorisation. Cet article présente une revue des questions concernant la gestion des certificats (de clé) publique et d’attribut de contrôle d’accès) dans l’environnement d’entreprise. L’article aborde en détail le déploiement d’une infrastructure de clé publique (icp) dans l’entreprise, l’offre de deux principaux fournisseurs de service existants, le problème de révocation des certificats et l’autorisation à travers les certificats.
Similar content being viewed by others
References
Oppliger (R.), Security technologies for the World Wide Web,Artech House, Norwood, MA, 1999
Ford (V.), Baum (M.S.), Secure electronic commerce: building the infrastructure for digital signatures & encryption,Prentice Hall ptr. Upper Saddle River, NJ, 1997.
Kohnfelder (L.M.), Towards a Practical public-key cryptosys-tem,Bachelor’s thesis, Massachusetts Institute of Technology (MIT), Cambridge, MA, May 1978.
Feghhi (J.), Feghhi (J.), Williams (P.), Digital certificates: applied Internet security,Addison-Wesley Longman, Reading. MA, 1999.
The directory - authentication framework,itu-t, Recommendation X.509, 1988.
Kent (ST.), Internet privacy enhanced mail communications of the ACM, vol. 36, No. 8, August 1993, pp.48–60.
Housley (R.), Ford (W.), Polk (W.), Solo (D.), Internet X.509 public infrastructure, certificate and crl profile,Request for Comments 2459, January 1999.
Adams (C), Internet X.509 public key infrastructure certificate management protocols,Request for Comments 2510, March 1999.
Myers (M.), Adams (C), Solo (D.), and Kemp (D.), Internet X.509 Certificate request message format,Request for Comments 2511, March 1999.
Chokhani (S.), Ford (W.), Internet X.509 public key infrastructure certificate policy and certification practices framework,Request for Comments 2527, March 1999.
Housley (R.), Polk (W.), Internet X509 public key infrastructure representation of key exchange algorithm (kea) keys in Internet X.509 public key infrastructure certificate,Request for Comments 2528, March 1999.
Boeyen (S.), Howes (T.), Richard (P.), Internet X.509 public key infrastructure operational protocols - ldapv2,Request for Comments 2559, April 1999.
Yeong (Y.), Howes (T.), Kille (S.), Lightweight directory access protocol,Request for Comments, 1777 March 1995.
Boeyen (S.), Howes (T.), Richard (P.), Internet X.509 public key infrastructure ldapv2 schema,Request for Comments 2587, June 1999.
Housley (R.), Hoffman (P.), Internet X.509 public key infrastructure operational protocols: ftp and http,Request for Comments 2585, May 1999.
Myers (M.), Ankney (R.), Malpani (A.), Galperin (S.), Adams (C), X.509 Internet public key infrastructure online, certificate status protocol- oscp,Request for Comments 2560, June 1999.
Ellison (C), establishing identity without certification authorities,Proceedings of usenix Security Symposium, July 1996.
Feigenbaum (J.), Towards an infrastructure for auhorization, position paper,Proceedings of usenix Workshop on Electronic Commerce, 1998.
Rivest (R.L.), Lampson (B.), sdsi - A simple distributed security infrastructure, April 1996.
Rivest (R.L.), S-Expressions, http://theory.lcs.mit.edu/~rivestsexp.txt, May 1997.
Abadi (M.), On SDSl’s linked local name spaces.Proceedings of 10 th IEEE Computer Security Foundations Workshop, June 1997, pp. 98–108.
Fredette (M.H.), An implementation of sdsi - the simple distributed security infrastructure,Master’s thesis, Massachusetts Institute of Technology (mit), Cambridge MA, May 1997.
Morcos (A.), A Java implementation of simple distributed security infrastructure,Master’s thesis, Massachusetts Institute of Technology (MIT), Cambridge, MA, May 1998.
Elien (J.E.), Certificate Discovery Using Spki/sdsi 2.0 certificates,Master’s thesis, Massachusetts Institute of Technology (mit), Cambridge, MA, May 1998.
Oppliger (R.), Pernul (G.), Strauss (C), Using attribute certificates to implement role-based authorization and access control models,work in progress.
Oppliger (R.), Authentication systems for secure networks,Artech House Publishers, Norwood, MA, 1996.
Oppliger (R.), Greuligh (A.), Trachsel (P.), A distributed certificate management system (dcms) supporting group-based access controls,Proceedings of 15 th Annual Computer Security Applications Conference (ACSAC ’99), December 1999.
Micali (S.), Efficient certificate revocation, Massachusetts Institute of Technology (mit),Technical Memo MlT/LCS/TM-542b 1996.
Merkle (R.C.), A certified digital signature,Proceedings of CRYPTO ’89, 1989, pp. 234–246.
Kocher (P.), A quick introduction to certificate revocation trees (CRTS)
Naor (M.), Nissim (K.), Certificate revocation and certificate update,Proceedings of 7 th usenix Security Symposium, January 1998.
Oppliger (R.), Authorization methods for e-commerce applications,Proceedings of 18 th IEEE Symposium on Reliable Distributed Systems, October 1999.
Blaze (M.), Feigenbaum (J.), Lacy (J.), Decentralized Trust Management,Proceedings of IEEE Conference on Security and Privacy, 1996, pp. 164–173.
Blaze (M.), Feigenbaum (J.), Strauss (M.), Compliance-checking in the policy maker trust-management system,Proceedings of Financial Cryptography, 1998, pp. 251–265.
Rubin (A.D.), Geer (D.), Ranum (M.J.), Web security source-book, John Wiley & Sons, Inc. New York NY, 1997.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Oppliger, R. Managing certificates in a corporate environment. Ann. Télécommun. 55, 341–351 (2000). https://doi.org/10.1007/BF02994842
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/BF02994842