Skip to main content
SpringerLink
Log in

A Computational Framework for Certificate Policy Operations

  • Conference paper
Public Key Infrastructures, Services and Applications (EuroPKI 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6391))

Included in the following conference series:

Abstract

The trustworthiness of any Public Key Infrastructure (PKI) rests upon the expectations for trust, and the degree to which those expectations are met. Policies, whether implicit as in PGP and SDSI/SPKI or explicitly required as in X.509, document expectations for trust in a PKI. The widespread use of X.509 in the context of global e-Science infrastructures, financial institutions, and the U.S. Federal government demands efficient, transparent, and reproducible policy decisions. Since current manual processes fall short of these goals, we designed, built, and tested computational tools to process the citation schemes of X.509 certificate policies defined in RFC 2527 and RFC 3647. Our PKI Policy Repository, PolicyBuilder, and PolicyReporter improve the consistency of certificate policy operations as actually practiced in compliance audits, grid accreditation, and policy mapping for bridging PKIs. Anecdotal and experimental evaluation of our tools on real-world tasks establishes their actual utility and suggests how machine-actionable policy might empower individuals to make informed trust decisions in the future.

This work was supported in part by the NSF (under grant CNS-0448499), the U.S. Department of Homeland Security (under Grant Award Number 2006-CS-001-000001), and AT&T. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of any of the sponsors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 4BF - Four Bridges Foru http://www.the4bf.com/ (retrieved May 29, 2009)

  2. Alterman, P.: Reformatting Entity CP’s into RFC 3647 Format (November 2006), http://www.cio.gov/fpkipa/documents/PolicyMemoRFC3647v1.pdf (retrieved May 30, 2009)

  3. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized Trust Management. In: IEEE Symposium on Security and Privacy, pp. 164–173 (1996)

    Google Scholar 

  4. Bradner, S.: RFC 2119: Key words for use in RFCs to Indicate Requirement Levels (March 1997)

    Google Scholar 

  5. Burnard, L., Bauman, S.: TEI P5: Guidelines for Electronic Text Encoding and Interchange, 5th edn (2007)

    Google Scholar 

  6. Cantor, S., Kemp, J., Philpott, R., Maler, E.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML V2.0) (2005)

    Google Scholar 

  7. Casola, V., Mazzeo, A., Mazzocca, N., Rak, M.: An Innovative Policy-Based Cross Certification Methodology for Public Key Infrastructures. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 100–117. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  8. Casola, V., Mazzeo, A., Mazzocca, N., Vittorini, V.: Policy Formalization to Combine Separate Systems into Larger Connected Network of Trust. In: Net-Con, p. 425 (2002)

    Google Scholar 

  9. Chadwick, D.W., Otenko, A.: RBAC Policies in XML for X.509 Based Privilege Management. In: SEC, p. 39 (2002)

    Google Scholar 

  10. Chadwick, D.W., Sasse, A.: The Virtuous Circle of Expressing Authorization Policies. In: Semantic Web Policy Workshop (2006)

    Google Scholar 

  11. Chokhani, S., Ford, W.: RFC 2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (March 1999)

    Google Scholar 

  12. Chokhani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: RFC 3657: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (November 2003)

    Google Scholar 

  13. Crane, G.: The Perseus Digital Library from http://www.perseus.tufts.edu/hopper/ (retrieved May 29, 2009)

  14. Smith, D.: CTS-URNs: Overview (December 2008), http://chs75.harvard.edu/projects/diginc/techpub/cts-urn-overview (retrieved May 29, 2009)

  15. Dué,C., Ebbott,M., Blackwell,C., Smith,D.: The Homer Multitext Project (2007), http://chs.harvard.edu/chs/homer_multitext (retrieved May 29, 2009)

  16. Ball, E., Chadwick, D.W., Basden, A.: The Implementation of a System for Evaluating Trust in a PKI Environment. Paper presented at the Trust in the Network Economy, Evolaris (2003)

    Google Scholar 

  17. Anonymized for Submission. Canonical Text Services CTS, http://cts3.sourceforge.net/ (retrieved May 29, 2009)

  18. Gold, R.: WEBTrust / client FAQ (1997-2004), http://www.webtrust.net/faq-client.shtml (retrieved May 29, 2009)

  19. Grimm, R., Hetschold, T.: Security Policies in OSI-Management Experiences from the DeTeBerkom Project BMSec. Computer Networks and ISDN Systems 28, 499 (1996)

    Article  Google Scholar 

  20. Housley, R., Polk, T.: Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure. Wiley Computer Publishing, Chichester (2001)

    Google Scholar 

  21. International Grid Trust Federation Charter, http://www.igtf.net/new-doc/IGTF-Federation-20051005-1-igtf.html/ (retrieved May 29, 2009)

  22. ISO 21188: Public Key Infrastructure for Financial Services—Practices and Policy Framework (2006)

    Google Scholar 

  23. Jensen, J.: Presentation for the CAOPS-IGTF session at OGF25 (March 2009)

    Google Scholar 

  24. Klobucar, T., Blazic, B.J.: A Formalisation and Evaluation of Certificate Policies. Computer Communications 22, 1104 (1999)

    Article  Google Scholar 

  25. Koorn, R., van Walsem, P., Lundin, M.: Auditing and Certification of a Public Key Infrastructure. Information Systems Control Journal 5 (2002)

    Google Scholar 

  26. Mendes, S., Huitema, C.: A New Approach to the X.509 Framework: Allowing a Global Authentication Infrastructure without a Global Trust Model. In: Network and Distributed System Security, pp. 172–189 (1995)

    Google Scholar 

  27. Moses, T.: eXtensible Access Control Markup Language XACML Version 2.0 (2005)

    Google Scholar 

  28. OpenCA Research Labs, http://www.openca.org/ (retrieved May 29, 2009)

  29. Pala, M., Cholia, S., Rea, S., Smith, S.: Extending PKI Interoperability in Computational Grids. In: IEEE International Symposium on Cluster Computing and the Grid, pp. 645–650 (2008)

    Google Scholar 

  30. Powell, G.: Beginning XML Databases, p. 260. Wiley Publishing, Chichester (2007)

    MATH  Google Scholar 

  31. Schmeh, K.: A Critical View on RFC 3647. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, p. 369. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  32. Anonymized For Submission. Applying Domain Knowledge from Structured Citation Formats to Text and Data Mining: Examples Using the CITE Architecture. In: Text Mining Services, p. 129 (2009)

    Google Scholar 

  33. Tanaka, Y., Viljoen, M., Rea S.: Guidelines for Auditing Grid CAs version 1.0 (February 2009), http://www.ggf.org/Public_Comment_Docs/Documents/2009-02/AuditGuidelines-Feb26_2009.pdf (retrieved May 30, 2009)

  34. Trcek, D., Jerman-Blazic, B., Pavesic, N.: Security Policy Space Definition and Structuring. Computer Standards & Interfaces 18(2), 191–195 (1996)

    Article  Google Scholar 

  35. Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2006), http://infotech.aicpa.org/NR/rdonlyres/05A9970C-A574-406D-BE82-5BE60D17F90F/0/Trust_Services_PC_10_2006.pdf (retrieved May 29, 2009)

  36. Walsh, N., Muellner, L.: DocBook: The Definitive Guide (July 1999)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dartmouth College, Hanover, NH 03755, USA

    Gabriel A. Weaver, Scott Rea & Sean W. Smith

Authors
  1. Gabriel A. Weaver
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Scott Rea
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sean W. Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. National Research Council (C.N.R.), Istituto di Informatica e Telematica (IIT), Pisa Research Area, Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  2. Dept. Electrical Engineering-ESAT/COSIC, Katholieke Universiteit Leuven, Kasteelpark Arenberg 10, Bus 2446, 3001, Leuven, Belgium

    Bart Preneel

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Weaver, G.A., Rea, S., Smith, S.W. (2010). A Computational Framework for Certificate Policy Operations. In: Martinelli, F., Preneel, B. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2009. Lecture Notes in Computer Science, vol 6391. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16441-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16441-5_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16440-8

  • Online ISBN: 978-3-642-16441-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation