Modeling and Evaluation of Certification Path Discovery in the Emerging Global PKI

  • Meiyuan Zhao
  • Sean W. Smith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4043)


Establishing trust on certificates across multiple domains requires an efficient certification path discovery algorithm. Previously, small exmaples are used to analyze the performance of certification path discovery. In this work, we propose and implement a simulation framework and a probability search tree model for systematic performance evaluation. Built from measurement data collected from current PKI systems in development and deployment over more than 10 countries, our model is (to the best of our knowledge) the largest simulated PKI architecture to-date.


Search Tree Simulation Framework Path Discovery Algorithm Option Building Direction 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Årnes, A., Just, M., Lloyd, S., Meijer, H.: Certificate Revocation Performance Simulations. Project paper (June 2000)Google Scholar
  2. 2.
    Brazilian Government PKI System,
  3. 3.
    CertiPath: Enabling Trusted Communication,
  4. 4.
    Certification Path Library (CPL). Cygnacom Solutions,
  5. 5.
    Domain Modeling Language (DML) Reference Manual,
  6. 6.
    Elley, Y., Anderson, A., Hanna, S., Mullan, S., Perlman, R., Proctor, S.: Building Certification Paths: Forward vs. Reverse. In: The 10th Annual Network and Distributed Systems Security Symposium (NDSS 2001) (February 2001)Google Scholar
  7. 7.
    EuroPKI Top Level Certification Authority,
  8. 8.
    Federal Bridge Certification Authority,
  9. 9.
    Higher Education Bridge Certification Authority (HEBCA)-Transforming Education Through Information Technologies,
  10. 10.
    Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC3280 (April 2002),
  11. 11.
    Iliadis, J., Gritzalis, S., Spinellis, D., de Cock, D., Preneel, B., Gritzalis, D.: Towards a Framework for Evaluating Certificate Status Information Mechanisms. Computer Communications 26(16), 1839–1850 (2003)CrossRefGoogle Scholar
  12. 12.
    Iliadis, J., Spinellis, D., Gritzalis, D., Preneel, B., Katsikas, K.: Evaluating Certificate Status Information Mechanisms. In: Proceedings of the 7th ACM conference on Computer and Communications Security (CCS 2000), pp. 1–8. ACM Press, New York (2000)CrossRefGoogle Scholar
  13. 13.
    CoreStreet Inc. Distributed Path Validation-Massive Scalability for Federated PKIs. Presentation st FBCA Path Discovery & Validation Working Group (August 2004)Google Scholar
  14. 14.
    Kohnfelder, L.M.: Toward a Practical Public-Key Cryptosystem. Bachelor’s thesis, Dept. Electrical Engineering. MIT, Cambridge (1978)Google Scholar
  15. 15.
    Lloyd, S.: Understanding Certification Path Construction. PKI Forum White Paper (September 2002)Google Scholar
  16. 16.
    Muñoz, J.L., Forné, J., Esparza, O., Soriano, B.M.: CERVANTES – A Certificate Validation Test-Bed. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 28–42. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol. RFC2560 (June 1999),
  18. 18.
    Ogielski, A.T., Cowie, J.H.: SSFNet: Scalable Simulation Framework- Network Models,, See for links to related publications
  19. 19.
    Russell, S., Dawson, E., Okamoto, E., Lopez, J.: Virtual Certificates and Synthetic Certificates: New Paradigms for Improving Public Key Validation. Elsevier Computer Communications 26, 1826–1838 (2003)Google Scholar
  20. 20.
    SAFE Bridge Certification Authority TEST Environment. SAFE-BioPharma Association,
  21. 21.
    MitreTek Systems. Certificate Arbitrator Module,
  22. 22.
    USHER: The Root Certificate Authority for Trust in Higher Education Research and Education,
  23. 23.
    Wahl, M., Howes, T., Kille, S.: Lightweight Directory Access Protocol (v3). RFC2551 (March 1997),
  24. 24.
    Zhao, M.: Performance Evaluation of Distributed Security Protocols Using Discrete Event Simulation. PhD thesis, Dartmouth College, Hanover, NH, TR2005-559 (October 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Meiyuan Zhao
    • 1
  • Sean W. Smith
    • 2
  1. 1.Communications Technology LabIntel CorporationHillsboroUSA
  2. 2.Department of Computer ScienceDartmouth CollegeHanoverUSA

Personalised recommendations