Page 66 - 2015 Security in Telecommunications and Information Technology
P. 66
SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY
Each CA will operate according to a set of policies. Recommendation ITU-T X.509 provides mechanisms for
distributing some of this policy information in extensions of public-key certificates issued by the CA. The
policy rules and procedures followed by a CA are usually documented in a certificate policy (CP) and a
certification practice statement (CPS), which are published by the CA. These documents help to ensure a
common basis for evaluating the trust that can be placed in the public-key certificates issued by a CA, both
internationally and across sectors. They also provide part of the legal framework necessary for building up
inter-organizational trust, as well as specifying limitations on the use of the issued public-key certificates.
When a relying party needs to validate a public-key certificate, it must establish a certification path. A
certification path is a chain of public-key certificates where the subject in one public-key certificate is the
issuer in a subsequent public-key certificate. The top public-key certificate (typically a CA certificate) must
be issued by a trust anchor recognized by the relying party. This is illustrated in Figure 13.
Trust anchor information
Issued by trust anchor
Certification path
CA certificates
Relying
PKI party
End-entity
public-key
certificate Legend:
CA signing
Chain of CA certificates
Trust anchor signing
Trust relationship
Figure 13 – Certification path
Each public-key certificate on the certification path needs to be validated. In principle, the certificate policy
related to each public-key certificate must be observed. However, certificate policies are provided in non-
machine readable format leaving it to a human user to make the judgement. However, human users may not
be capable of judging the policy requirements and, in many situations, there may be non-human users involved.
The next edition of Recommendation ITU-T X.509, expected to be completed in 2016, will include significant
enhancement to ensure efficient and secure validation of public-key certificates:
– A new type of PKI component, called trust broker, provides a service for relying parties when
validating public-key certificates. A trust broker keeps track of a set of CAs and the policies under
which they issue public-key certificates. When validating a public-key certificate, a relying party may
consult the appropriate trust broker to check its validity.
– Some relying parties may communicate only with a limited set of other entities and they may be
required to observe restrictions on the communications, e.g., to accept only communications over a
limited set of communications protocols. The necessary information is supplied to a relying party in
an authorization and validation list (AVL). This list is supplied and maintained by a new PKI
component called the authorization and validation manager (AVM). Some relying parties may be
constrained with respect to processing power, storage, bandwidth and time and cannot afford to go to
a third party to validate public-key certificates. In such an environment the AVL may be extended to
46 The importance of the Directory
