• Contact
• Maps
• Departments

• School of Computing home
• Undergraduate degrees
• Master's degrees
• PhD and research degrees
• Research
• Placements
• Kent IT Consultancy
• Makerspace
• Working with us
• About us
• News
• People
• Contact us

For current students & staff

• Information for students
• Systems support
• Information for staff

Search

School of Computing

The implementation of a system for evaluating trust in a PKI environment

E. Ball, D.W. Chadwick, and A. Basden

Abstract

This paper describes a system that allows the trust index of a Certification Authority (CA) to be computed both statically and dynamically. Static calculation is based on a CA's published Certificate Policy (CP) and Certification Practice Statement (CPS), whilst dynamic calculation is based on the actual current practices of the CA. At the heart of the system is an expert system that has knowledge about the factors that are important in computing the trust in a CA. Static calculation may be performed in one of two ways. In Method 1, the expert system asks the user (the CA's relying party) a series of questions, which he can answer by consulting the published CP/CPS of the CA. In Method 2, the expert system asks the same questions to a CPS Server, which takes its answers from an XML formatted CPS. This requires the CA administrator to first produce an XML formatted CPS, which we describe, and publish this in its LDAP directory along with its public key certificates and revocation lists. We describe the CPS server, which retrieves the XML CPS's as signed attribute certificates, and feeds answers to the questions posed by the expert system using a Simple SOAP protocol that we have designed. Dynamic calculation of the trust index may be based on information gathered from up to five sources: an Audit Certificate created by the external auditors of the CA, dynamic performance monitoring of the CA's rate of publication of Certificate Revocation Lists, information gathered by the relying party, information gathered by the subscriber, and information gathered about the vendor of the CA's PKI software. We have currently implemented the first two of these. The software has been written in Java and also provides tools that enable Audit Certificates and CPSs to be prepared and published.

Bibtex Record

@incollection{2126,
author = {E. Ball and D.W. Chadwick and A. Basden},
title = {The Implementation of a System for Evaluating Trust in a {PKI} Environment},
month = {unknown},
year = {2003},
pages = {182-196},
keywords = {determinacy analysis, Craig interpolants},
note = {},
doi = {},
url = {http://www.cs.kent.ac.uk/pubs/2003/2126},
    publication_type = {incollection},
    booktitle = {Trust in the Network Economy, Evolaris },
    volume = {2},
    editor = {Otto Petrovic and Michael Ksela and Markus Fallenbock and Christian Kitti},
    publisher = {SpringerWein},
    isbn = {3-211-06853-8},
}