Skip to main content
SpringerLink
Log in

On the Complexity of Public-Key Certificate Validation

  • Conference paper
  • First Online:
Information Security (ISC 2001)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2200))

Included in the following conference series:

Abstract

Public-key infrastructures are increasingly being used as foundation for several security solutions, such as electronic documents, secure e-mail (S/MIME), secure web transactions (SSL), and many others.

However, there are still many aspects that need careful consideration before these systems can really be used on a very large scale. In this respect, one of the biggest issues to solve is certificate validation in a generic multi-issuer certification environment.

This paper begins by introducing the problem, also with the help of a famous security incident related to certificate validation, and then proceeds to review the user and system requirements. We take into account several constraints, such as computational power of the end-user client (workstation, PDA, cellular phone), network connectivity (permanent or intermittent, high or low speed) and security policy to be respected (personal or company-wide trust). We then proceed to define a general certificate validation architecture and show how several proposed certificate management formats and protocols can be used within this general architecture and which are the relative merits and drawbacks. Finally, the support offered by commercial products to certificate validation is analyzed, and the path towards better solutions for an effective deployment of certificates is sketched.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. K. Reiter, S. G. Stubblebine, Towards Acceptable Metrics of Authentication, Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, May 1997, pp. 10–20.

    Google Scholar 

  2. R. Housley, W. Ford, W. Polk, D. Solo, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, RFC 2459, IETF, 1999

    Google Scholar 

  3. Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard, Microsoft Security Bulletin MS01-017, available at http://www.microsoft.com/TechNet/security/bulletin/MS01-017.asp

  4. T. Bray, J. Paoli, C.M. Sperberg-McQueen, Extensible Markup Language (XML) 1.0, W3C Recommendation, 10-February-1998, available at http://www.w3.org/TR/1998/REC-xml-19980210

  5. http://www.modssl.org

  6. B. Ramsdell, S/MIME Version 3 Message Specification, RFC 2633, IETF, 1999

    Google Scholar 

  7. T. Dierks, C. Allen, The TLS Protocol Version 1.0, RFC 2246, IETF, 1999

    Google Scholar 

  8. T. Beth, M. Borcherding, B. Klein, Valuation of trust in open networks, European Symposium on Research in Computer Security, ESORICS 1994, vol. 875 of Lecture Notes in Computer Science, Springer-Verlag, 1994, pp. 3–18

    Google Scholar 

  9. U. Maurer, Modelling a public-key infrastructure, European Symposium on Research in Computer Security, ESORICS 1996, vol. 1146 of Lecture Notes in Computer Science, Springer-Verlag, 1996, pp. 325–350

    Google Scholar 

  10. M. K. Reiter, S. G. Stubblebine, Path independence for authentication in largescale systems, Proceedings of ACM Conference on Computer and Communications Security, Zurich, Switzerland, April, 1997, pp. 57–66

    Google Scholar 

  11. W. Ford, M. S. Baum, Secure Electronic Commerce, Prentice Hall, 1997

    Google Scholar 

  12. P. McDaniel, S. Jamin, Windowed Key Revocation in Public Key Infrastructures, Tech. Rep. CSE-TR-376-98, EECS(Univ. of Michigan), 1998

    Google Scholar 

  13. ITU-T Recommendation X.509-ISO/IEC 9594-8, 1995

    Google Scholar 

  14. M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP, RFC 2560, IETF, 1999

    Google Scholar 

  15. M. Naor, K. Nissim, Certificate Revocation and Certificate Update, IEEE Journal on selected areas in communications, Vol. 18, No. 4, 2000, pp. 561–570

    Article  Google Scholar 

  16. H. Kikuchi, K. Abe, S. Nakanishi, Performance evaluation of public-key certificate revocation system with balanced hash tree, Proceedings of International Workshops on Parallel Processing, Wakamatsu, Japan, 1999, pp. 204–209

    Google Scholar 

  17. M. Myers, S. Farrell, C. Adams, Delegated Path Discovery with OCSP, draft-ietfpkix-ocsp-path-00.txt, IETF Internet Draft, September 2000

    Google Scholar 

  18. M. Myers, C. Adams, S. Farrell, Delegated Path Validation, draft-ietf-pkix-ocspvalid-00.txt, IETF Internet Draft, August 2000

    Google Scholar 

  19. M. Myers, R. Ankney, C. Adams, S. Farrell, C. Covey, Online Certificate Status Protocol, version 2, draft-ietf-pkix-ocspv2–02.txt, IETF Internet Draft, March 2001

    Google Scholar 

  20. A. Malpani, P. Hoffman, R. Housley, Simple Certificate Validation Protocol (SCVP), draft-ietf-pkix-scvp-05.txt, IETF Internet Draft, June 2001

    Google Scholar 

  21. D. Pinkas, Delegated Path Validation and Delegated Path Discovery Protocols, draft-ietf-pkix-dpv-dpd-00.txt, IETF Internet Draft, July 2001

    Google Scholar 

  22. http://www.mozilla.org/projects/security/pki/nss/intro.html

  23. http://www.mozilla.org/

  24. http://www.VeriSign.com/onsite/datasheets/validation/validation.html

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Automatica e Informatica, Politecnico di Torino, Torino, (Italy)

    Diana Berbecaru, Antonio Lioy & Marius Marian

Authors
  1. Diana Berbecaru
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Lioy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marius Marian
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of EECS, University of Wisconsin-Milwaukee, Milwaukee, WI, 53201, USA

    George I. Davida

  2. Techtegrity, LLC, 122 Harrison, Westfield, NJ, 07090, USA

    Yair Frankel

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Berbecaru, D., Lioy, A., Marian, M. (2001). On the Complexity of Public-Key Certificate Validation. In: Davida, G.I., Frankel, Y. (eds) Information Security. ISC 2001. Lecture Notes in Computer Science, vol 2200. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45439-X_13

Download citation

  • DOI: https://doi.org/10.1007/3-540-45439-X_13

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-42662-2

  • Online ISBN: 978-3-540-45439-7

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation