Design of Graded Trusts by Using Dynamic Path Validation

  • Akira Kubo
  • Hiroyuki Sato
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 321)


In modern information service architectures, security is one of the most critical criteria. Almost every standard on information security is concerned with internal control of an organization, and particularly with authentication. If an RP (relying party) has valuable information assets, and requires a high level to authentication for accepting access to the valuable assets, then a strong mechanism is required. Here, we focus on a trust model of certificate authentication. Conventionally, a trust model of certificates is defined as a validation of chains of certificates. However, today, this trust model does not function well because of complexity of paths and of requirement of security levels. In this paper, we propose “dynamic path validation,” together with another trust model of PKI for controlling this situation. First, we propose Policy Authority. Policy Authority assigns a level of compliance (LoC) to CAs in its domain. LoC is evaluated in terms of a common criteria of Policy Authority. Moreover, it controls the path building with considerations of LoC. Therefore, we can flexibly evaluate levels of CP/CPS’s in one server. In a typical bridge model, we need as many bridge CAs as the number of required levels of CP/CPS’s. In our framework, instead, we can do the same task in a single server, by which we can save the cost of maintaining lists of trust anchors of multiple levels.


Trust Model Information Security Common Criterion Information Asset Path Validation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alterman, P.: Interfederation Initiatives for Identity Authentication. Federal Demonstration Partnership, January meeting (2008)Google Scholar
  2. 2.
    Alterman, P., Keltner, J., Morgan, R.: InCommon Federation: Progress, Partnerships, Opportunities. Internet2 2007 Fall Meeting (2007)Google Scholar
  3. 3.
    American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants: Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2006)Google Scholar
  4. 4.
    Burr, W., Dodson, W., Polk, W.: Electronic Authentication Guidelines. NIST SP800-63 (2006)Google Scholar
  5. 5.
    CA/Browser Forum: Guidelines for the Issuance and Management of Extended Validation Certificates (2007)Google Scholar
  6. 6.
    Chokbani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 3647 (2003)Google Scholar
  7. 7.
    Cooper, M., Dzambasow, Y., Joseph, S., Nicholas, R.: Internet X.509 Public Key Infrastructure: Certification Path Building. RFC 4158 (2005)Google Scholar
  8. 8.
    Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (2008)Google Scholar
  9. 9.
    Freeman, T., Housley, R., Malpani, A., Cooper, D., Polk, W.: Server-Based Certificate Validation Protocol. RFC 5055 (2007)Google Scholar
  10. 10.
    InCommon Federation: Identity Assurance Profiles Bronze and Silver (2008),
  11. 11.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (1999)Google Scholar
  12. 12.
    Nedanic, A., Zhang, N., Yao, L., Morrow, T.: Levels of Authentication Assurance: an Investigation. In: Proc. 3rd Int’l. Symposium on Information Assurance and Security, pp. 155–158 (2007)Google Scholar
  13. 13.
    OASIS: Level of Assurance Authentication Context Profiles for SAML 2.0 (2009)Google Scholar
  14. 14.
    Office of Management and Budget (U.S.): E-Authentication Guidance for Federal Agencies. M-04-04 (2003)Google Scholar
  15. 15.
    OpenID: OpenID Provider Authentication Policy Extension 1.0 (2008)Google Scholar
  16. 16.
    Pinkas, D., Housley, R.: Delegated Path Validation and Delegated Path Discovery Protocol Requirements. RFC 3379 (2002)Google Scholar
  17. 17.
    Sato, H.: A Service Framework based on Grades of IdPs and SPs. In: Proc. Securiy and Management 2009, pp. 379–385 (2009)Google Scholar
  18. 18.
    Sato, H.: N±ε: Reflecting Local Risk Assessment in LoA. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2009. LNCS, vol. 5871, pp. 833–847. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. NIST 800-30 (2002)Google Scholar
  20. 20.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security and Privacy, 25–31 (September/October, 2004)Google Scholar
  21. 21.
  22. 22.
  23. 23.

Copyright information

© IFIP 2010

Authors and Affiliations

  • Akira Kubo
    • 1
  • Hiroyuki Sato
    • 2
  1. 1.No Institute Given 
  2. 2.Information Technology CenterThe University of TokyoJapan

Personalised recommendations