This document presents an alternative mechanism for disseminating certificate status information called ADoCSI (Alternative Dissemination of Certificate Status Information). ADoCSI uses software agents to retrieve and validate certificate status information on behalf of dependent entities in a transparent manner. The document outlines some of the problems that need to be addressed when using agents for certificate status information, such as how to protect agents and the information they carry from unauthorized modification. It also provides an overview of the components involved in ADoCSI, including agent meeting places, certificate authority agents, and an interface agent.

1. University of the Aegean
De Facto Joint Research Group
Certificate Revocation:
What Is It and What
Should It Be
John Iliadis1,2, Stefanos Gritzalis1
Department of Information and Communication Systems Engineering
University of the Aegean
E-mail: {jiliad,sgritz}@aegean.gr
1
2
Department of Informatics
Technological Educational Institute of Athens
E-mail: jiliad@cs.teiath.gr

2. Overview
➢
➢
➢
➢
➢
➢
➢
Introduction
What is Certificate Revocation ?
Proposed mechanisms for Certificate Status
Information
Evaluation criteria for CSI mechanisms
The need for an alternative mechanism
Alternative Dissemination of CSI (ADoCSI)
Problems to be solved in ADoCSI
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 2 out of 21

3. Introduction
1.
2.
3.
4.
Is PKI a new era for Network
Security?
Certificate Revocation? What
Certificate Revocation?
Certificate Status Information
Mechanisms
EU Directive: “secure and prompt
revocation service”
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 3 out of 21

4. Certificate
Revocation
CA1
Authenticating
entity
AE
CSI
repository
Signer
SR
CA2
CSI
repository
Dependent entity
DE
CA3
CSI
repository
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 4 out of 21

5. CSI Mechanisms:
CRLs
➢
➢
➢
Certificate Revocation Lists
Compare to Black lists: Banks, Cell phone
Operators. Dependent entities: merchants
(online POS), Banks, other Cell phone
operators
CRL: Signed list containing serial numbers
of revoked (/suspended?) certificates, the
revocation dates and (optional) reasons
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 5 out of 21

6. CSI Mechanisms:
CRLs (cont.)
➢
➢
➢
➢
Delta-Certificate Revocation Lists
Distribution Points
Fresh Revocation Information
(DeltaCRLs on top of DP CRLs)
Redirect CRL (dynamic re-partitioning
of large DP CRLs)
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 6 out of 21

7. CSI Mechanisms:
(cont.)
➢
Enhanced CRL Distribution Options
➢
➢
Separate location and validation
functions.
Positive CSI
➢
CRLs are all wrong… CSI should contain
positive, not negative info. Dependent
entity should set ad hoc freshness
requirements and certificate holder should
provide ad hoc CSI.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 7 out of 21

8. CSI Mechanisms:
(cont.)
Online Certificate Status Protocol
–
Server returning signed CSI corresponding to
CSI requests by dependent entities. Possible
OCSP Responses:
1.
2.
3.
“Good”, meaning certificate has not been revoked,
“Revoked”, meaning certificate has been revoked or
suspended,
“Unknown”, OCSP is not aware of that certificate
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 8 out of 21

9. CSI: Freshnessconstrained
Revocation Authority
➢
➢
➢
Repositories of CSI need not be
trusted
Separation of Certification Authority
and Authority that issues CSI
(Revocation Authority, RevA)
Dependent entity requires fresh
enough CSI from certificate holder
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 9 out of 21

10. Evaluation Criteria:
Type of Mechanism
➢
➢
➢
➢
➢
➢
➢
M1: Transparency,
M2: Offline revocation,
M3: Delegation of revocation,
M4: Delegation of CSI dissemination,
M5: Delegation of certificate path validation,
M6: Referral capability,
M7: Revocation reasons.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 10 out of 21

11. Evaluation Criteria:
Efficiency
➢
➢
➢
➢
➢
➢
➢
E1: Timeliness of CSI,
E2: Freshness of CSI,
E3: Bounded revocation,
E4: Emergency CSI capability,
E5: Economy,
E6: Scalability,
E7: Adjustability.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 11 out of 21

12. Evaluation Criteria:
Security
➢
➢
➢
➢
➢
➢
S1: CSI disseminator authentication,
S2: CSI integrity,
S3: CA compromise
S4: RevA compromise,
S5: Contained functionality,
S6: Availability.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 12 out of 21

13. The need for an
alternative CSI
mechanism
➢
➢
Dependent entities and certificate
holders are not necessarily
experienced computer-users, nor are
they security aware,
PKI security-related procedures have
to be made more transparent, as in
the credit card system.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 13 out of 21

14. An Agent-based
mechanism
➢
➢
The transparency criterion has to be met:
location, retrieval and validation of CSI has
to be made transparent to the dependent
entity.
An Agent-based mechanism could do that,
using the aforementioned CSI mechanisms
and providing an indirection layer between
dependent entity and CSI mechanisms
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 14 out of 21

15. ADoCSI:
Alternative
Dissemination of Certificate
Status Information
The agents ADoCSI needs must be able
to:
1. Suspend execution and resume it at another execution
environment,
2. Retain their state, when transporting themselves to other
execution environments,
3. Create child agents and deploy them,
4. Select a network location, out of a list of locations, with
the least network congestion,
5. Communicate the retrieved information back to their
owner or to their owner’s application that spawned the
agent.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 15 out of 21

16. ADoCSI
Authenticating
entity
AE
CSI
AMP2
Signer
SR
referral
CA1
CA-CSI Agent
CA-CSI Agent
CA2
CA-CSI Agent
CSI
AMP1
Dependent entity
DE
Interface Agent
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
User-CSI
Agent
CA-CSI Agent
CA3
Slide 16 out of 21

17. ADoCSI (2)
1.
2.
3.
4.
5.
6.
Agent Meeting Places (AMP) (also called
Agent Platforms)
Dependent entity,
Authenticating Entity or Signer,
Certification Authority Certificate Status
Information (CA-CSI) Agent,
User Certificate Status Information (UserCSI) Agent,
Interface Agent.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 17 out of 21

18. ADoCSI: Problems
seeking solutions
ADOCSI researchers must find solutions to a series of problems that
emerge from using Agents in CSI, namely :
2.
3.
4.
5.
6.
7.
8.
How can the location function be implemented transparently ?
How can dependent entities retrieve and validate CSI
transparently ?
How is a certificate path validated ?
What is the way this mechanism interacts with dependent
entities ?
How are Agents protected from unauthorised modification or
replacement ?
How can CSI carried by Agents be protected ?
How can an Agent tell a fraudulent Agent Meeting Place ?
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 18 out of 21

19. ADoCSI: Problems
seeking solutions (2)
1.
2.
3.
4.
How can AMPs be protected from DoS attacks ?
How can dependent entities be protected against
User-CSI Agent replay attacks ?
How are the Agent Meeting Places protected from
malicious Agents ?
How can an Agent retrieve CSI for a dependent
entity, without letting the AMP know which
certificate did it retrieve CSI for ?
A first paper commenting on these issues will soon
appear.
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 19 out of 21

20. References
➢
➢
➢
References of general interest (PKI
mostly)
References to certificate revocation
resources
References to papers on securing
Software Agents
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 20 out of 21

21. References (2)
➢
➢
➢
References of general interest (PKI
mostly)
References to certificate revocation
resources
References to papers on securing
Software Agents
John Iliadis, Stefanos Gritzalis
University of the Aegean, IPICS 2002
Copyright © 2002
Slide 21 out of 21