7.6 Conclusions

7.6    Conclusions

Certificate management and PKIs are increasingly important topics for the Internet. In fact, many organizations face the problem of how to get the X.509v3 certificates they require for emerging technologies, such as IPsec, SSL/TLS, and S/MIME. In general, there are two possibilities:

1. The organization can establish a PKI of its own;

2. The organization can outsource the services and buy X.509v3 certificates from one or several commercial certification service providers.

If an organization wants to establish a PKI of its own, it can use one of the many commercial PKI solutions and products that are available on the market. Companies that offer PKI solutions and products include Entrust , ²³ Baltimore Technologies, ²⁴ and RSA Security. ²⁵ You may refer to the trade press to get a more comprehensive and up-to-date overview about currently available PKI solutions and products.

@FN@ http://www.entrust.com/entrust #FN#

@FN@ http://www.baltimore.com #FN#

@FN@ http://www.rsa.com #FN#

If a company or organization wants to outsource certification services, it can buy corresponding X.509v3 certificates from one (or several) commercial certification service provider(s). Exemplary providers are VeriSign, Inc. ^[26] and Entrust.net. ^[27] In fact, an increasingly large number of commercial certification service providers are offering their services to the general public. Again, this trend is strengthened by legislation initiatives for digital or electronic signatures. Note, however, that the market for certification services is far from being mature, and that there are many ongoing changes.

In addition to the two possibilities mentioned, there is a whole range of intermediate possibilities. The general idea is to have the company or organization act as RA for its users and make use of a commercial certification service provider to actually issue certificates. This is interesting mainly because it is simple for the company or organization to register and authenticate its users, and also because almost everything can be batched from the certification service provider s point of view. A corresponding architecture was proposed in [33]. A similar architecture has been implemented and marketed in various offerings, such as VeriSign s OnSite Managed Trust Service. ^[28]

A more critical word should be said about the overall cost of public key cryptography in general, and PKIs in particular. Note that one of the original claims of public key cryptography was to minimize the initiation cost of a secure communication path between parties that share no prior administrative relationship. It was assumed that this would be the major reason why public key cryptography would dominate e-commerce applications in the first place. Note, however, that with no shared administrative structure to connect the parties, we must invent many things, such as certificate chaining, certificate revocation, and certificate directory services. In other words, we have to invent the very thing that public key cryptography claimed not to need, namely administrative overhead. This point was made by Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum in [34]. In fact, they do not argue against public key cryptography in general, but they argue that much of the implied cost savings of public key cryptography over secret key cryptography is nothing more than an illusion. To further clarify the point, they argue that the sum of the cost for cryptographic-key issuance and the cost for cryptographic-key revocation is more or less constant (for both public key cryptography and secret key cryptography). Note that this argument is only an assertion and is not yet substantiated by any detailed analysis. Also note that much of the initial motivation for use of public key cryptography was not cost based, but rather security based. For example, the argument was made that there are many more vulnerabilities associated with schemes that make use of secret key cryptography only as compared with schemes that selectively make use of public key cryptography, especially when one crosses organizational boundaries. As an example, you may look at the Kerberos authentication system, especially in the case of inter-realm authentication. In spite of the fact that the argument is not substantiated by any detailed analysis and that the initial motivation for the use of public key cryptography and corresponding PKIs was security (not costs), the argument should still be considered with care. Note, for example, the problems we face when we try to establish and operate a PKI today. Some of the problems are caused by the need to revoke certificates. This problem makes it necessary to have an online component permanently available for an otherwise off-line CA. Ideally, certificate revocation is handled by an on-line component that is physically or logically separated from the off-line CA [35].

Finally, it should be kept in mind that the widespread use of public key certificates that include (or are logically linked to) globally unique names , such as DNs, may also provide the means to build a worldwide tracking system for user transactions. If a user acquires multiple certificates, each of which contains a different subject name with only local significance, he or she will not be able to be tracked. If, however, he or she acquires only one certificate and this certificate is used for multiple (or all) applications, he or she can be tracked very easily. Consequently, the widespread use of a single certificate per person may also contradict his or her privacy requirements. ^[29] Against this background, Stefan A. Brands developed a technological approach that can be used to replace X.509-based certificates [36]. The resulting certificates can be used to authenticate and authorize their owners ; they do not, however, reveal any information that is not necessary to the certificate verifier. As such, the certificates may be called ˜ ˜minimum-disclosure certificates. They provide a first example of a privacy enhancing technology (PET) in this area, and it is possible and very likely that we will see other PETs being developed and deployed in the future. We will come back to the notion of a PET in Chapter 12.