Use of a Validation Authority to Provide Risk Management for the PKI Relying Party

  • Jon Ølnes
  • Leif Buene
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4043)


Interoperability between PKIs (Public Key Infrastructure) is a major issue in several electronic commerce scenarios. A Relying Party (RP), in particular in an international setting, should not unduly put restrictions on selection of Certificate Authorities (CA) by its counterparts. Rather, the RP should be able to accept certificates issued by any relevant CA. Such acceptance implies not only the ability to validate certificates, but also an assessment of the risk related to acceptance of a certificate for the purpose at hand. We analyse common PKI trust models with respect to risk management, and argue that an independent, trusted Validation Authority (VA) may be a better approach for this task. A VA as suggested by this paper will also remove the need for complicated certificate path processing.


Electronic Signature Policy Mapping Qualified Certificate Trust Structure Certificate Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alterman, P., Blanchard, D., Chokani, S., Rea, S.: Bridge-to-Bridge Interoperability. In: Panel presentation at the 5th Annual PKI R&D Workshop (2006)Google Scholar
  2. 2.
    Backhouse, J., Hsu, C., Tseng, J., Baptista, J.: A Question of Trust – An Economic Perspective on Quality Standards in the Certification Services Market. Communications of the ACM 48(9) (2005)Google Scholar
  3. 3.
    British Standards Institute: Specification for Information Security Management Systems. British Standard BS 7799-2:2002 (2002)Google Scholar
  4. 4.
    Bundesnetzagentur: Ordinance on Electronic Signatures (2001)Google Scholar
  5. 5.
    Certipost: Certification Practices Statement, European IDABC Bridge/Gateway CA for Public Administrations v2.0. EBGCA-DEL-015 (2005) Google Scholar
  6. 6.
    Chokani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC3647 (2003)Google Scholar
  7. 7.
    Commission of the European Communities: Action Plan for the Implementation of the Legal Framework for Electronic Public Procurement. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions (2004) Google Scholar
  8. 8.
    ETSI: Electronic Signatures and Infrastructures; Policy Requirements for Certification Authorities Issuing Qualified Certificates. ETSI TS 101 456 v1.4.1 (2006) Google Scholar
  9. 9.
    ETSI: Electronic Signatures and Infrastructures; Policy Requirements for Certification Authorities Issuing Public Key Certificates. ETSI TS 102 042 v1.2.2 (2005) Google Scholar
  10. 10.
    ETSI: Electronic Signatures and Infrastructures; Provision of Harmonized Trust Service Provider Information. Draft ETSI TS 102 231 v1.2.1 (2005) Google Scholar
  11. 11.
    ETSI: Electronic Signatures and Infrastructures; International Harmonization of Policy Requirements for CAs Issuing Certificates. ETSI TR 102 040 v1.3.1 (2005) Google Scholar
  12. 12.
    EU: Community Framework for Electronic Signatures. Directive 1999/93/EC of the European Parliament and of the Council (1999) Google Scholar
  13. 13.
    EuroPKI Top Level Certification Authority: EuroPKI Certificate Policy, Version 1.1 (2004)Google Scholar
  14. 14.
    Federal PKI Policy Authority (FPKIPA): US Government Public Key Infrastructure: Cross-Certification Criteria and Methodology Version 1.3. (2006) Google Scholar
  15. 15.
    Federal PKI Policy Authority (FPKIPA): X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) Version 2.1. (2006) Google Scholar
  16. 16.
    Hallam-Baker, P., Mysore, S.H. (eds.): XML Key Management Specification (XKMS 2.0). W3C Recommendation (2005)Google Scholar
  17. 17.
    IDA: A Bridge CA for Europe’s Public Administrations – Feasibility Study. European Commission – Enterprise DG, PKICUG project final report (2002) Google Scholar
  18. 18.
    ISO: Evaluation Criteria for IT Security. ISO 15408 Parts 1-3 (1999) Google Scholar
  19. 19.
    ITU-T | ISO/IEC: OSI – the Directory: Authentication Framework. ITU-T X.509 | ISO/IEC 9594-8 (2001) Google Scholar
  20. 20.
    Jøsang, A., Knapskog, S.J.: A metric for trusted systems. In: NSA1998 – 21st National Security Conference (1998)Google Scholar
  21. 21.
    Kent, S.: Privacy enhancement for Internet electronic mail. Part II: Certificate-Based Key Management. RFC1422 (1993)Google Scholar
  22. 22.
    Lioy, A., Marian, M., Moltchanova, N., Pala, M.: The euroPKI experience. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 14–27. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Lopez, D.R., Malagon, C., Florio, L.: TACAR: a simple and fast way for building trust among pKIs. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 173–179. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    López, J., Oppliger, R., Pernul, G.: Classifying Public Key Certificates. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 135–143. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Malpani, A.: Bridge Validation Authority. ValiCert White Paper (2001)Google Scholar
  26. 26.
    Maurer, U.: Modeling a public-key infrastructure. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146. Springer, Heidelberg (1996)Google Scholar
  27. 27.
    McBee, F., Ingle, M.: Meeting the Need for a Global Identity Management System in the Life Sciences Industry – White Paper. SAFE BioPharma Association (2005)Google Scholar
  28. 28.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key In-frastructure Online Certificate Status Protocol – OCSP. RFC2560 (1999)Google Scholar
  29. 29.
    OASIS: Understanding Certification Path Construction. White Paper from PKI Forum Technical Group (2002)Google Scholar
  30. 30.
    Pinkas, D., Housley, R.: Delegated Path Validation and Delegated Path Discovery Protocol Requirements. RFC3379 (2002)Google Scholar
  31. 31.
    Reiter, M.K., Stubblebine, S.K.: Authentication metric analysis and design. ACM Transactions on Information and System Security 2(2), 138–158 (1999)CrossRefGoogle Scholar
  32. 32.
    Ølnes, J.: PKI Interoperability by an Independent, Trusted Validation Authority. In: 5th Annual PKI R&D Workshop (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jon Ølnes
    • 1
  • Leif Buene
    • 2
  1. 1.DNV ResearchHøvikNorway
  2. 2.DNV CertificationHøvikNorway

Personalised recommendations