Abstract
Public-key infrastructures (PKIs) are considered the basis of the protocols and tools needed to guarantee the security of new Internet applications like electronic commerce, government-citizen relationships and digital distribution. This paper introduces a new infrastructure design, Cert’eM, a key management and certification system that is based on the structure of the electronic mail service and on the principle of near-certification. Cert’eM provides a secure means to identify users and distribute their public-key certificates, enhances the efficiency of revocation procedures, and avoids scalability and synchronization problems. Because we have considered the revocation problem as priority in the design process and a big influence in the rest of the PKI components, we have developed an alternative solution to the use of certificate revocation lists (CRLs). This has become one of the strongest points of this new scheme.
Similar content being viewed by others
References
Ford W, Baum M (2000) Secure electronic commerce: building the infrastructure for digital signatures and encryption, 2nd ed. Prentice-Hall, New York
Kohl J (1989) The use of encryption in kerberos for network authentication. In: Advances in Cryptology – CRYPTO’89. Springer, Berlin Heidelberg New York, pp 35–43
Kohl J, Neuman BC (1993) The Kerberos network authentication service (V5). Internet request for comment 1510
Davis D (1995) Kerberos plus RSA for World Wide Web security. First USENIX Workshop on Electronic Commerce, pp 185–188
Ganesan R (1995) Yaksha: augmenting Kerberos with public key cryptography. Internet Society Symposium on Network and Distributed Systems Security, pp 132–143
Schiller J, Atkins D (1995) Scaling the web of trust: combining Kerberos and PGP to provide large scale authentication. USENIX Technical Conference
Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654
Clarke R (1997) Human identification in information systems: management challenges and public policy issues. Inf Technol People 7(4):6–37
Garfinkel S, Spafford E (2001) Web security and commerce, 2nd Ed. O’Reilly & Associates
European Commission (December 1999) Directive 1999/93 of the European parliament and the council on a community framework for electronic signatures. Official Journal L 013, 19/01/2000, pp 0012–0020
Wright B (1998) Making numbers ceremonial: signing tax returns with personal identification numbers. Personal communication
Detweiler L (1993) Identity, privacy and anonymity on the Internet. http://www.rewi.hu-berlin.de/jura/proj/dsi/Netze/privint.html
ISO International Standard 9594 (1988) Information technology – open systems interconnection reference model: the directory
International Telecommunication Union (1997) ITU-T Recommendation X.509, Information technology – open systems interconnection – The directory: authentication framework
Lopez J, Maña A, Ortega JJ, Troya JM (2000) Distributed storage and revocation in digital certificate databases. In: 11th International Conference on Database and Expert Systems Applications (DEXA’00). LNCS 1873. Springer, Berlin Heidelberg New York, pp 930–938
International Telecommunication Union (2000) ITU-T recommendation X.509, Information technology – open systems interconnection – The directory: public-key and attribute certificate frameworks
Myers M, Ankney R, Malpani A, Galperin S, Adams C (1999) X.509 internet public key infrastructure. Online certificate status protocol – OCSP, Internet request for comment 2560
Rivest R (1998) Can we eliminate revocation lists? In: Hirschfeld R (ed) Financial Cryptography. Second International Conference, FC’98, Anguilla, British West Indies, 23–25 February 1998. LNCS vol. 1465. Springer, Berlin Heidelberg New York, pp 178–183
Eastlake D (March 1999) Domain name system security extensions. Internet request for comment 2535
Lopez J, Maña A, Montenegro JA, Ortega JJ, Troya JM (June 2002) Designing software tools for the use of secure electronic forms. 3rd ACIS Int. Conf. on Software Engineering, Artificial Intelligence Networking and Parallel/Distributed Computing (SNPD’02), pp 157–163
Mockapetris P (November 1987) Domain names – concepts and facilities. Internet request for comments 1034
Hodges J, Morgan R (September 2002) Lightweight directory access protocol (v3): technical specification. Internet request for comment 3377
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lopez, J., Maña, A., Montenegro, J. et al. PKI design based on the use of on-line certification authorities. IJIS 2, 91–102 (2004). https://doi.org/10.1007/s10207-003-0027-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-003-0027-3