Volume 270 - International Symposium on Grids and Clouds (ISGC) 2016 (ISGC 2016) - Networking, Security, Infrastructure & Operations
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research
E. Sakane,* T. Nishimura, K. Aida
*corresponding author
Full text: pdf
Published on: 2017 January 11
Abstract
Among certification authorities (CAs) in an academic PKI trust federation such as IGTF (Interoperable Global Trust Federation), most of the academic organizations that operate a CA install by themselves the CA equipment in their building. To keep the CA trustworthy, it is necessary to maintain specialized CA equipment and to employ specifically trained operators. The high cost thereby incurred for CA operation weighs heavily on the CA organization. For research institutes whose primary duties are not the CA operation, the burden of the high cost of CA operations is an earnest problem, and cost reduction by increasing the efficiency of the operation is an important issue.

Instead of focusing on any further operational optimization of a single individual CA, in this paper we will review cost reductions by way of integrating more than one CA in a PKI federation. This paper considers the issuing and registration authorities that constitute a CA, and proposes the following integration model: it integrates the issuing duties, and each organization carries out the registration duties as before. In the proposed model, integrating the issuing duties means that one issuing authority (IA) takes over the duty of the other IA. Since each registration authority (RA) performs the registration duty as usual, most of procedures such as the application process to obtain certificates remain unchanged, so that it does not confuse the users.

Based on this proposed model, we discuss how to connect the superseding IA with the RA($\beta$) operated by the organization that closes its own IA($\beta$). Among possible connections, we examine not only a direct connection between the superseding IA and the RA($\beta$) but also a connection putting the RA($\alpha$) -- operated so far by the organization that operates the remaining IA -- inbetween them as a proxy. Furthermore, we augment the certificate policy of the superseding IA so that it is compatible with the policy of the RA($\beta$). We also discuss an applicability of existing CA profiles such as MICS (Member Integrated Credential Service) profile and its extension.
DOI: https://doi.org/10.22323/1.270.0015
Open Access