15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

Generic Support for PKIX Certificate Management in CDSA

Shabnam Erfani, WatchGuard Technologies, serfani@watchguard.com
Sekar Chandersekaran, Microsoft Corporation, sekarcha@microsoft.com

With the advent of public key infrastructure (PKI) exploitation by secure Internet applications exploiting , various standards for implementing PKI services have emerged. These define various facets of services that compose a PKI needed by higher level applications such as electronic commerce, financial services and health care. The Common Data Security Architecture (CDSA) from the Open Group is a flexible standard that defines APIs for cryptography, secure data storage, key recovery and certificate lifecycle management services; basic security services that are needed for implementing a PKI. CDSA provides a good architecture for multiple service provider management and enhances scalability and interoperability. The emerging public key infrastructure (PKIX) standards from IETF provide certificate profiles and management protocols geared toward the Internet. The PKIX specifications mainly define the expected behavior of the PKI by providing protocols, but do not provide abstractions that can be used by exploiting applications. In this paper we show how CDSA abstractions have been extended to enable support for PKIX certificate management protocol. We first model a general, end-to-end system architecture based on CDSA that implements PKIX profile and certificate management protocols. We discuss the merits of this system from the application and system architecture perspectives and point out the requirements on CDSA imposed by PKIX. We conclude the paper with a discussion of the new CDSA version 2.0 APIs that accommodate PKIX model and requirements.