16th Annual Computer Security Applications Conference
December 11-15, 2000
New Orleans, Louisiana

Scalable, Policy Driven and General Purpose Public Key Infrastructure (PKI) For the Internet

Vishwa Prasad, Sreenivasa Potakamuri, Michael Ahern, Igor Balabine & Michah Lerner

This paper describes a flexible and general purpose PKI component providing an easily interoperable security infrastructure. Developed at AT&T Labs, the architecture is part of the UCAID/Internet2 efforts in PKI and scalable security. The architecture can host multiple certificate authorities (CAs) from different vendors in a uniform and scalable manner. This facilitates scalable operation with third-party CA systems, and may also find utility with multi-provider services. The component acts as a CA distributor driven by uniform enrollment procedures based on vendor independent PKI policies. The design of seamless integration facilitates easy integration with third party CA services such as Verisign. The architecture adapts software components into a framework for secure, authenticated IP services over the open Internet or within internal intranets. Policy descriptions, written in XML, support explicit controls upon certificate sources and contents. These XML-encoded policies define issuance and acceptance of X.509v3 certificates from multiple CAs supporting the "obligations and warrantees -- even if the policy is neither recorded anywhere nor referenced in the certificate" [1][2]. The PKI component has been developed within a general middleware platform [6].

Read Paper Read Paper (in PDF)