The Server-Based Certificate Validation Protocol allows PKI clients to delegate to a server the construction or validation of certification paths. The protocol’s specification focuses on the communication between the server and the client and its security. It does not discuss how the servers can efficiently locate the necessary PKI resources like certificate or certificate revocation lists. In this paper we concentrate on this topic. We present a simple and effective method to facilitate locating and using various PKI resources by the servers, without modifying the protocol. We use the extension mechanism of the protocol for notifying the servers about PKI repositories, certificates, and revocations. We specify the tasks of the servers and certificate issu-ers and define the messages that are exchanged between them. A proof of concept is given by implementing an SCVP server, a client, and the proposed method in Java.
References
[1]
T. Freeman, R. Housley, A. Malpani, D. Cooper, and W. Polk, “Server-based certificate validation protocol (SCVP),” IETF Request for Comments, Vol. 5055, December 2007.
[2]
R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile,” IETF Request for Comments, Vol. 3280, April 2002.
[3]
M. Cooper, Y. Dzambasow, P. Hesse, S. Joseph, and R. Nicholas, “Internet X.509 public key infrastructure: Certification path building,” IETF Request for Comments, Vol. 4158, September 2005.
[4]
S. Farrell and R. Housley, “An internet attribute certificate profile for authorization,” IETF Request for Comments, Vol. 3281, April 2002.
[5]
M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams, “X.509 internet public key infrastructure online certificate status protocol–OCSP,” IETF Request for Comments, Vol. 2560, June 1999.
[6]
D. Pinkas and R. Housley, “Delegated path validation and delegated path discovery protocol requirements,” IETF Request for Comments, Vol. 3379, September 2002.
[7]
R. Housley, “Cryptographic message syntax (CMS),”
IETF Request for Comments, Vol. 3852, July 2004.
[8]
“Recommendation X.500 ITU-T information technology – open systems interconnection – the directory: Overview of concepts, models and services,” August 2005.
[9]
J. Sermersheim, “Lightweight directory access protocol (LDAP): The protocol,” IETF Request for Comments, Vol. 4511, June 2006.
[10]
S. Josefsson, “Storing certificates in the domain name system (DNS),” IETF Request for Comments, Vol. 4398, March 2006.
[11]
D. W. Chadwick and S. Anthony, “Using WebDAV for improved certificate revocation and publication,” In Proceedings of Public Key Infrastructure: 4th European PKI Workshop: Theory and Practice, EuroPKI, Lecture Notes in Computer Science, Vol. 4582, pp. 265–279, June 2007.
[12]
R. Housley and P. Ho?man, “Internet X.509 public key infrastructure operational protocols: FTP and HTTP,” IETF Request for Comments, Vol. 2585, May 1999.
[13]
P. Gutmann and A. Reliable, “Scalable general-purpose certificate store,” In Proceedings of the 16th Annual Computer Security Applications Conference (AC-SAC’00), pp. 278–287, December 2000.
[14]
P. Gutmann, “Internet X.509 public key infrastructure operational protocols: Certificate store access via HTTP,” IETF Request for Comments, Vol. 4387, February 2006.
