15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

A Distributed Certificate Management System (DCMS) Supporting Group-based Access Controls

Rolf Oppliger, rolf.oppliger@acm.org
Andreas Greulich
Peter Trachsel

Mainly for scalability reasons, many cryptographic security protocols make use of public key cryptography and require the existence of a public key infrastructure (PKI). A PKI, in turn, consists of one or several certification authorities (CAs) that issue and revoke certificates for users and other CAs. Contrary to its conceptual simplicity, the establishment and operational maintenance of a CA or PKI has turned out to be difficult in practice. As a viable alternative, this paper proposes an architecture for a distributed certificate management system (DCMS) that can also be used to provide support for group-based access controls. The architecture has been prototyped and is being used by the Swiss Federal Strategy Unit for Information Technology (FSUIT) to protect access to intranet resources.