Information Technology Reference
In-Depth Information
deployment. In particular, we enhanced the peer-
to-peer protocol to support (1) interoperable PKI
message exchange among CAs, and (2) usable
federated identities deployment. The most notice-
able addition to the PEACH network infrastructure
is introduction of a new type of nodes, the PK
Federation Authorities.
In the PKS model, network administrators
deploy local PKS responders. As such, the PKS
is similar to the DNS where caching servers are
deployed in LANs to ease client configurations.
The PKS responders, in this case, act as a PKI
proxy for applications. In case the local organi-
zation also deployed it's own CA, the local PKS
node will reply to PKI requests for the local PKI in
addition to forwarding requests that are addressed
for external CAs.
In order to locate available CAs efficiently on
the PKS network, we use unique node identifiers
for each CA. We leverage the availability of the
CAs' digital certificates by deriving the node's
identifier from the fingerprint of the CA certificate
itself. For example, if CA1 wants to participate
in the PKS network, it will setup a PKS node and
issue a certificate that identifies it as the authorita-
tive PKS responder.
When joining the PKS network, the PKI gate-
way will present its own certificate together with
its issuing CA's certificate. The node identifier,
that is the identifier that will enable the node to be
found on the network, is calculated by using the
fingerprint of the CA's certificate. To validate the
identity of the joining node, a simple validation
of the presented certificate chain will guarantee
that the joining node has been authorized as a PKS
responder for that particular CA. This approach
guarantees high scalability, provides a simple
approach to PKS responders deployment, and is
logically compatible with the Peer Name Resolu-
tion Protocol (Microsoft) already available in the
Windows operating system (although available
only over IPv6).
Ultimately, we notice that the PKS network
can support any type of public key identifiers, not
only X.509 certificates. This feature stems from
the use of the output of the hash function to link
a node on the PKS network to an identity (e.g.,
a CA or a PK-FA). Although our work primarily
focuses on X.509 certificates, the PKS overlay
network is capable of supporting multiple types
of public key based identifiers.
Two-Tier Approach.
To ease the deployment
of PKS, applications such as browsers or email
clients, access the PKS by querying the local PKS
server. The local PKS responder is responsible of
discovering if the responder authoritative for the
CA requested by a client is available on the PKS
network and, if so, it forwards the application's
request to the target node. The response is then
routed back to the client through the same local
PKS responder.
In other words, applications use only one
simple transport protocol for all PKI-related que-
ries (e.g., OCSP, CMM, SCEP, etc.) and do not
need to implement any of the peer-to-peer overlay
network operations (e.g.,
join
() or
lookup
()).
The Quest for Federated Identities.
One of
the urgent needs in today's on-line communities
is the possibility to demonstrate one's participa-
tion to one or more federations. In the case of
Computing Grids, these federations are identi-
fied by saccreditation bodies. These authorities
decide the policies (or rules) that an organization
must follow in order to be accredited. They also
perform audits to check on the compliance of an
accredited organization with the policy of the
VO. Therefore, being the authority recognized by
every member participating to the VO, the policy
body is the authoritative source of isnformation
about the VO membership. Regrettably, there is
no standardized way to dynamically provide that
information to applications.
To accommodate the need to federate existing
organizations, the PKS supports PK Federation
Authorities (PK-FA) nodes. These nodes provide
information about the deployed federations by
indicating if a particular entity is part of a specific
federation or not. The protocol we designed in
Search WWH ::
Custom Search