Design and Implementation of a New Public-Key Certificate Status Handling Scheme

E. Faldella and M. Prandini (Italy)


Information Security, PKI, Certificate Revocation, Applied Cryptography


The paper presents the main design issues concerning the deployment in a real-life scenario of a high-performance scheme devised for handling certificate status within Public-Key Infrastructures (PKIs). Such a scalable scheme, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, asserts in a timely and secure way the status of each certificate via a single, collective, directory-signed proof. This feature, which allows limiting the directory computational load to an upper bound independent from the rate PKI’s users perform certificate status verification operations, is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when other on-line schemes, such as the well-known On-line Certificate Status Protocol (OCSP), are applied. The deployment phase has involved both the design of the server in charge of certificates status authentication, and the integration of the corresponding client within very popular programs, namely the Mozilla suite and the Apache web server, which can exploit the new status verification scheme as part of their usual procedures dealing with public-key certificates.

Important Links:

Go Back