PKI design based on the use of on-line certification authorities

摘要

Public-key infrastructures (PKIs) are considered the basis of the protocols and tools needed to guarantee the security of new Internet applications like electronic commerce, government-citizen relationships and digital distribution. This paper introduces a new infrastructure design, Cert'eM, a key management and certification system that is based on the structure of the electronic mail service and on the principle of near-certification. Cert'eM provides a secure means to identify users and distribute their public-key certificates, enhances the efficiency of revocation procedures, and avoids scalability and synchronization problems. Because we have considered the revocation problem as priority in the design process and a big influence in the rest of the PKI components, we have developed an alternative solution to the use of certificate revocation lists (CRLs). This has become one of the strongest points of this new scheme.