Public-key Infrastructure Options and choices Tim Moses Director, Advanced Security Technology April 98 1997 Entrust Technologies
Overview General-purpose and Dedicated PKIs Trust models Two-key architecture 1997 Entrust Technologies p. 2
General-purpose and Dedicated General-purpose PKI Certificates intended for general use But, a subject name is only meaningful in context Certificates are effectively anonymous Additional context-sensitive information required to disambiguate the subject name However, the subject can be repeatably identified 1997 Entrust Technologies p. 3
Typical use CA certificate{certid} Internet Organization B Web server Browser TLS Web server Look-up table certid - accountno... Look-up table certid - employeeno... Organization A 1997 Entrust Technologies p. 4
General-purpose and dedicated Dedicated PKI Intended for use in context e.g. in a single organization Subject name is meaningful in the context Certificate contains disambiguating information 1997 Entrust Technologies p. 5
Typical use CA certificate{name} Internet Organization A Web server Browser TLS Web server 1997 Entrust Technologies p. 6
Comparison General-purpose Advantage Cost of certificate issuance shared across organizations Disadvantages Identity managed separately by each application Revocation only useful for reasons of key compromise Dedicated Advantages One-time identity management Revocation useful for change of status in the organization, as well as for key compromise Disadvantages A separate certificate is required for use in each separate organization 1997 Entrust Technologies p. 7
Summary General-purpose PKI more costeffective for organizations with a single public-key-enabled application Dedicated PKI more cost-effective for organizations with multiple public-keyenabled applications Interest shifting from the Generalpurpose to the Dedicated PKI concept 1997 Entrust Technologies p. 8
Trust models Options Personal (PGP, SDSI, SPKI, Entrust PAB) Hierarchical (SET, US DoD) Web Distributed 1997 Entrust Technologies p. 9
Hierarchical trust model Root CA Relying party imports Root CA key CA CA Relying party Subscriber Subscriber is issued a certificate chain Subscriber 1997 Entrust Technologies p. 10
Web trust model Relying party imports many CA keys CA CA Relying party Subscriber Subscriber 1997 Entrust Technologies p. 11
Distributed trust model cross-certificate Relying party imports one CA key CA CA Relying party Subscriber Subscriber 1997 Entrust Technologies p. 12
Trust model summary Each model has its own domain of applicability Hierarchical model suitable where there is an accepted and stable source of authority Web model most suited to low-risk, spontaneous relationships Distributed trust model most suitable between peer organizations 1997 Entrust Technologies p. 13
Common criticism of the distributed trust model High cost of establishing interorganizational trust links On the order of $10k per link Not justifiable for low risk relationships This is only true for heavy-weight process 1997 Entrust Technologies p. 14
ABA ISC accreditation process International audience Policy adopting body Accreditation body Certificate policy Evaluator lab Accreditation process Subscriber Certification authority CPS Relying party 1997 Entrust Technologies p. 15
Light-weight process Certification authority Public key Conditions of use Warranties Relying party Certificate Certificate Subscriber 1997 Entrust Technologies p. 16
Summary In low risk relationships... Use a light-weight process Cross-certification can be largely automated Cost of establishing trust links could be on the order of $1 per link Use web-based technology XML Search engines 1997 Entrust Technologies p. 17
Two-key architecture Each subscriber has two key-pairs and two certificates One for confidentiality One for authenticity / integrity Algorithm independent RSA DSA / Diffie-Hellman ECDSA / ECDH 1997 Entrust Technologies p. 18
Two-key architecture Enables... Non-repudiation No back-up of private signature key Automated recovery for persistent confidentiality Back-up of private decryption-key Alternatives... Manual private key back-up and recovery Estimated operating cost of $80 per user per year Encrypt symmetric keys for a key-recovery agent Too early to tell how costs compare 1997 Entrust Technologies p. 19
Summary Interest shifting from General-purpose to Dedicated PKI Each trust model has its own domain of applicability Misconceptions about the operating costs of the distributed trust model Two-key architecture Manual key back-up and recovery of private decryption keys is impractical and costly Too early to tell how it compares with key recovery agent schemes 1997 Entrust Technologies p. 20