ConChord: Cooperative SDSI Certificate Storage and Name Resolution

  • Sameer Ajmani
  • Dwaine E. Clarke
  • Chuang-Hue Moh
  • Steven Richman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2429)


We present ConChord, a large-scale certificate distribution system built on a peer-to-peer distributed hash table. ConChord provides load-balanced storage while eliminating many of the administrative difficulties of traditional, hierarchical server architectures. ConChord is specifically designed to support SDSI, a fully-decentralized public key infrastructure that allows principals to define local names and link their namespaces to delegate trust. We discuss the particular challenges ConChord must address to support SDSI efficiently, and we present novel algorithms and distributed data structures to address them. Experiments show that our techniques are effiective and practical for large SDSI name hierarchies.


Hash Table Trust Management Distribute Hash Table Network Partition Merkle Tree 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    S. Ajmani. A Trusted Execution Platform for multiparty computation. Master’s thesis, MIT, 2000. App A: Certificate Chain Algorithms.Google Scholar
  2. [2]
    M. Blaze, J. Feigenbaum, and A. D. Keromytis. Keynote: Trust management for public-key infrastructures (position paper). In Security Protocols Workshop, pages 59–63, 1998.Google Scholar
  3. [3]
    M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. Technical Report 96-17, 28, 1996.Google Scholar
  4. [4]
    D. Clarke, J. Elien, C. Ellison, M. Fredette, A. Morcos, and R. L. Rivest. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 2001.Google Scholar
  5. [5]
    R. Cox and A. Muthitacharoen. Serving DNS using Chord. In Proc. IPTPS, 2002.Google Scholar
  6. [6]
    F. Dabek, M. F. Kaashoek, D. Karger, R. Morris, and I. Stoica. Wide-area cooperative storage with CFS. In Proc. ACM SOSP, Oct. 2001.Google Scholar
  7. [8]
    P. Druschel and A. Rowstron. PAST a large-scale, persistent peer-to-peer storage utility. In HotOS VIII, May 2001.Google Scholar
  8. [9]
    C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. SPKI certificate theory. RFC 2693, Sept. 1999.Google Scholar
  9. [10]
    C. M. Ellison and D. E. Clarke. High speed TUPLE reduction. Memo, Intel, 1999.Google Scholar
  10. [11]
    C. A. Gunter and T. Jim. Policy-directed certificate retreival. Technical Report MS-CIS-99-07, U. Penn., Sept. 1998.Google Scholar
  11. [12]
    J. Y. Halpern and R. van der Meyden. A logic for SDSI’s linked local name spaces. Journal of Computer Security, 9(1,2):47–74, 2000.Google Scholar
  12. [13]
    T. Jim. SD3: A trust management system with certified evaluation. In Proc. 2001 IEEE Symposium on Security and Privacy, May 2001.Google Scholar
  13. [14]
    J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and the effiectiveness of caching. In Proc. ACM SIGCOMM Internet Measurement Workshop, 2001.Google Scholar
  14. [15]
    N. Li, W. H. Winsborough, and J. C. Mitchell. Distributed credential chain discovery in trust management. In Proc. 8th ACM CCS, Nov. 2001.Google Scholar
  15. [16]
    P. Nikander and L. Viljanen. Storing and retrieving internet certificates. In Proc. 3rd Nordic Workshop on Secure IT Systems, 1998.Google Scholar
  16. [18]
    S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. A scalable content-addressable network. In Proc. ACM SIGCOMM, 2001.Google Scholar
  17. [19]
    R. L. Rivest and B. Lampson. SDSI-A simple distributed security infrastructure. Apr. 1996.Google Scholar
  18. [20]
    A. Rowstron and P. Druschel. Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems. In Proc. IFIP/ACM Middleware, 2001.Google Scholar
  19. [22]
    I. Stoica, R. Morris, D. Karger, M. Kaashoek, and H. Balakrishnan. Chord: A scalable peer-to-peer lookup service for Internet applications. In Proc. ACM SIGCOMM, Aug. 2001.Google Scholar
  20. [23]
    B. Y. Zhao, J. Kubiatowicz, and A. Joseph. Tapestry: An infrastructure for faulttolerant wide-area location and routing. Technical Report UCB/CSD-01-1141, UC Berkeley, Apr. 2001.Google Scholar
  21. [24]
    P. R. Zimmermann. The Official PGP User’s Guide. MIT Press, 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Sameer Ajmani
    • 1
  • Dwaine E. Clarke
    • 1
  • Chuang-Hue Moh
    • 1
  • Steven Richman
    • 1
  1. 1.MIT Laboratory for Computer ScienceCambridgeUSA

Personalised recommendations