1st Annual PKI Research Workshop---Proceedings
نویسنده
چکیده
The Trust Assertion XML Infrastructure (TAXI) is described. TAXI is a PKI research project that had the objective of developing technology that would assist the deployment of PKI. Parts of the TAXI architecture have since been realized in open standards, notably the XKMS [XKMS] and SAML [SAML] specifications, other parts of the TAXI architecture such as XTAML [XTAML] and XKASS [XKASS] have been published as research notes for public review and possible standardization at a later date. The paper describes the architectural principles underlying the design decisions taken in these specifications. 1 Cryptography and Trust Public Key cryptography permits secure communication to be established between any parties provided only that each has trustworthy knowledge of the public key of the other. The means by which that trustworthy knowledge is obtained is known as Public Key Infrastructure (PKI). PKI secures the interface between the abstract world of electronic communications and the concrete offline world. PKI is complex and subtle because the world is complex and subtle. The deployment of PKI in the real world has been subject to numerous disputes about architecture, factional schisms and political intrigues. While some of these disputes have technical merit few have advanced the cause for PKI. The quest for the perfect PKI has too often been the enemy of deployment of a good PKI. This paper describes the Trust Assertion XML Infrastructure (TAXI), a research project that was undertaken in the summer of 2000 with the objective of developing technology that would assist the deployment of PKI. Parts of the TAXI architecture have since been realized in open standards, notably the XKMS [XKMS] and SAML [SAML] specifications, other parts of the TAXI architecture such as XTAML [XTAML] and XKASS [XKASS] have been published as research notes for public review and possible standardization at a later date. Standards documents intended to describe a normative specification should not provide any discussion of the architectural principles. This paper is intended to make good this omission and to explain how the different components of the TAXI architecture were intended to fit together. In view of the developments since the original TAXI architecture was developed this paper makes use of the terminology and concepts used in the XKMS and SAML specifications rather than those of the original documents.
منابع مشابه
1st Annual PKI Research Workshop---Proceedings
In [1], a scalable and small-bandwidth certificate validation scheme was presented. We call this system NOVOMODO, to emphasize the new way in which it approaches the field. In this paper, we recall the NOVOMODO technology and • Compare the efficiency and security of NOVOMODO and OCSP; and • Discuss how NOVOMODO may simplify PKI management in several applications (e.g., attribute certs). 1. Trad...
متن کامل1st Annual PKI Research Workshop---Proceedings
The fundamental goal of PKIs is to provide a means for participating entities to establish and manage trust in other entities, either within or across domain boundaries. As PKIs have evolved, so has the set of alternate methods supporting validation of entities, their certificates, and their keys. Validation processing determines whether or not the acceptance of a certificate or key represents ...
متن کامل1st Annual PKI Research Workshop---Proceedings
Recently there has been considerable interest among PKI vendors and researchers in the concept of password-enabled PKI. Several viable proposals and products have emerged. Fundamentally there are two distinct methods for using passwords with private keys. One method is to use the password to retrieve a private key, while the other uses the password as one component of the private key. We motiva...
متن کامل1st Annual PKI Research Workshop---Proceedings
This paper contrasts the use of an ID PKI (Public Key Infrastructure) with the use of delegatable, direct authorization. It first addresses some commonly held beliefs about an ID PKI – that you need a good ID certificate to use digital signatures, that the ID certificate should come from a CA that has especially good private key security, that use of the ID certificate allows you to know with w...
متن کامل1st Annual PKI Research Workshop---Proceedings
Tuple reduction is the basic mechanism used in SPKI to make authorisation decisions. A basic problem with the SPKI authorisation syntax is that straightforward implementations of tuple reduction are quadratic in both time and space. In the paper we introduce a restricted version of the SPKI authorisation syntax, which appears to conform well with practice, and for which authorisation decisions ...
متن کامل1st Annual PKI Research Workshop---Proceedings
Certificates carry signed statements within a PublicKey Infrastructure (PKI). As we begin to build more complex and more open PKIs, the limited expressiveness of current certificate languages becomes a concern. While certificates are traditionally treated as simple data structures conforming to a given schema, we show an alternative derivation of the concept of a certificate in which certificat...
متن کامل