Autonomous Decentralized Root Certification Authority System

摘要

A public key infrastructure (PKI) is a set of elements and procedures needed to create, store, manage, distribute and revoke digital certificates. Its main objective is to bind public keys with respective user identities assuring the uniqueness of these public keys. A PKI must guarantee the reliability of its services, assuring the timeliness of its responses and the continuity of the service despite of the growth in the number of users and the presence of hardware or software failures. Avoiding duplication of public keys due to intentional or involuntary errors is mandatory in a PKI, hence the verification of public keys uniqueness is a fundamental task. In this paper we propose a model in which a PKI is constituted by the following entities: a root certification authority (root-CA) responsible for issuing Authorities' certificates and verifying the uniqueness of the public keys issued on its own or by any of the others authorities belonging to this PKI, a number of certification authorities (CA's) which issue end user's certificates, and a number registration authorities (RA's), which store the user certificates. In our PKI model the root certification authority has a main role and it is clear that could become a bottle neck in a real implementation; in order to avoid this risk, we have tried to benefit from autonomous decentralized systems concepts and have proposed an approach in which the root certification authority has the properties of an ADS, namely on-line expandability, on-line maintenance and fault tolerance. Two are the main contributions of this paper, first we apply ADS concepts in a PKI model and, second show a software implementation of an ADS architecture.