A Computational Framework
for Certificate Policy Operations
?
Gabriel A. Weaver, Scott Rea, Sean W. Smith
Dartmouth College, Hanover, NH 03755, USA
Abstract. The trustworthiness of any Public Key Infrastructure (PKI)
rests upon the expectations for trust, and the degree to which those ex-
pectations are met. Policies, whether implicit as in PGP and SDSI/SPKI
or explicitly required as in X.509, document ex pectations for trust in a
PKI. The widespread use of X.509 in the context of global e-Science
infrastructures, financial insti tutions, and the U.S. Federal government
demands efficient, transparent, and reproducible policy decisions. Since
current manual processes fall short of these goals, we designed, built,
and tested computational tools to process the citation schemes of X.509
certificate policies defined in RFC 2527 and RFC 3647. Our PKI Policy
Repository, PolicyBuilder, and PolicyReporter improve the consistency
of certificate policy operations as actually practiced in compliance au-
dits, grid accreditation, and policy mapping for bridging PKIs. Anecdotal
and experimental evaluation of our tools on real-world tasks establishes
their actual util ity and suggests how machine-actionable policy might
empower individuals to make informed trust decisions in the future.
Keywords: PKI; Certificate Policy Formalization; XML
1 Introduction
The fundamental purpose of PKI is to allow relying parties to trust use rs based
upon a set of credentials the user has proven they have control over. Confidence in
these user credentials re quires the relying party to evaluate the trustworthiness of
an association between a public key and one or more attributes. These attributes
may serve to identify a person, machine, or organization, or they may simply
associate an arbitrary property with a public key.
Foundations for Trust in a X.509 PKI In X.509, these associations are
expressed in a machine-actionable document called a certificate and a certificate
authority (CA) attests to the validity of these associations. The certificate policy
(CP) of an organization contains a set of expectations that define its notion
of a trustworthy public key certificate and how it may be used. The Certifica-
tion Practices Statement (CPS) state s how a CA actually implements a CP. In
principle, the trustworthiness of a certificate is a function of the s imilarity of
stated policy to personal trust expectations (measured in the Policy Compari-
son process) and the similarity of stated policy to actual practice (Compliance
Audit).
Evaluating the similarity of policies depends upon the comparison of CPs.
Ideally users should e valuate trusted roots based on their personal expectations.
In actual practice, the average user blindly adopts the trust expectations of their
?
This work was supported in part by the NSF (under grant CNS-0448499), the U.S. Department of Homeland
Security (under Grant Award Number 2006-CS-001-000001), and AT&T. The views and conclusions contained
in this document are those of the authors and should not be interpreted as necessarily representing the official
policies, either expressed or implied, of any of the sponsors.
employers, application vendors, or of companies like Thawte and VeriSign. Until
user-friendly policy becomes a reality, requirements for trust will continue to be
expressed for organizations, by organizations.
Currently, people manually compare the two policies involved, reading both
documents line by line. Bridge CAs relieve organizations of much of this burden,
employing this same manual process to establish trust relationships between
member organizations. Bridge CAs attest that the expectations of trust for all
of its member organizations are logically consistent. If a member organization
issues a certificate, that certificate is viewed as trustworthy among all members
of the bridge at a predetermined level of assurance [20].
A policy is probably useless unless it is followed in practice. Compliance
audits determine whether a CA issues certificates according to a CP in actual
practice. Federations and bridges ensure that the requirements for trust are met
through such audits, whether for ac creditation or cross-certification respectively.
For example, the current approach to accreditation at the International Grid
Trust Federation (IGTF) defines a mostly manual process; one step involves
Policy Management Authority (PMA) members reviewing a CP in detail, com-
paring its contents against requirements in an authentication profile (AP) [21].
Auditing PKIs within financial institutions also involves following a manual pro-
cess described in ISO 21188 [22] [25]. Cross-certification, the operation necessary
to establish a bridge, similarly requires comparing CPs.
We claim that informed trust decisions should be based on processes that
consistently estimate actual organizational behavior. Consistent processes occur
frequently in a manner transparent to the user; their results are both repro-
ducible and auditable. Currently-practiced, manual CP operations are costly,
time-consuming, lack end-user transparency, and are difficult to reproduce. We
claim that computationally processing machine-actionable certificate policies
would be more efficient and consistent.
Our Contributions to Certificate Policy Formalization Our PKI
Policy Repository, PolicyBuilder, and PolicyReporter codify certificate policy
processes used in PKI compliance audits, grid accreditation, and bridging PKIs.
We claim that these tools improve the efficiency and consistency of policy re-
trieval, creation, and comparison. This section presents our contributions in the
context of previous work on the identification, representation, and manipulation
of certificate policies.
Identification Our tools identify certificate policies using a hierarchical,
human-readable, machine-actionable reference string called a Canonical Text
Services Uniform Resource Name (CTS-URN) [14]. CTS-URNs emerge from
some of our previous work on the Multitext of Homer Project [15] to perform
computations on Classic al Greek texts [32]. One of this paper’s contributions
is to use CTS-URNs encoded as Object Identifiers (OID)s to identfy individual
CPs, arbitrary sets of policy documents, or other versions or translations of that
same document.
CTS-URNs also identify sets of policy requirements organized within a cita-
tion (or reference) scheme. RFC 3647, Section 6 [12] explicitly defines a citation
scheme organized in terms of policy requirements to facilitate the comparison of
CPs and CPSs. CTS-URNs enable the tools we built to compute with respect to
a policy’s reference structure, identifying individual security provisions
1
or the
document in its entirety.
Our identification scheme increases the expressiveness of policy related cer-
tificate extensions by encoding CTS-URNs as OIDs. Accepting or rejecting CPs
is currently a binary decision; policy documents must be “completely acc epted
or forbidden” [24]. CTS-URNs let people and machines reference arbitrary sec-
tions of a policy; rather than accepting or rejecting an entire policy document,
users may whitelist or blacklist agreeable or offending provisions.
Representation We encode certificate policies using Text Encoding Initiative
(TEI) P5 Lite, an XML standard for representing texts in digital form [5]. Like
previous efforts to encode policies using XML [8] [7], we model a security policy
as a tree.
2
Given a policy’s text, we only mark up its citation scheme, the outline
of provisions defined in Section 6 of RFC 3647 or Section 5 of RFC 2527 [11]. This
results in a semi-formal [7] policy representation that is both machine-actionable
and human-readable. This approach simplifies the overhead of encoding a policy.
The Federal PKI Policy Authority (FPKIPA) Technical Specification recom -
mends writing CPs and CPSs in a natural language [12]. Our representation
honors that recommendation and leaves the natural language of the policy un-
changed. Alternate representations of policies such as data-centric XML
3
, matri-
ces, or ASN.1 require a person to read the source text and fit their interpretation
of that text to a data format. Such representations are unsuitable for relying par-
ties to easily understand the meaning of a policy [7] [19] [12]. Our contribution
is a policy representation that humans can use as a primary source for informed
policy decisions and which computers can process.
Manipulation Computing on certificate policies overcomes many of the
drawbacks and limitations of manual processes. We claim that implementations
of algorithms are efficient and consistent processes for explicitly imposing a
model on policy content. Algorithms may be run frequently. Unlike deriving a
model of policy content from text and encoding it by hand, algorithms can be
run on demand any time as CPs change. Algorithms are unambiguous and when
their implementations are open-source, the underlying process is transparent to
the user. Finally, the output of algorithms may be reproduced by running the
same input and interpreted to make informed trust decisions.
This Paper This paper is organized as follows. Section 2 desc ribes some
real-world use cases for certificate policy and the reliability of current practices .
Section 3 introduces the design and implementation of the tools we built for
processing certificate policy and illustrates how they address real-world needs
while improving actual practice. We evaluate these tools in Section 4, using
anecdotal and experimental evidence. Section 5 reviews related work. Section
6 describes future research directions building upon this work, and Section 7
concludes.
1
Trcek et. al’s DNS-like system organized the set of all possible security requirements hierarchically into domains
that were referenced by human-readable, machine-actionable strings [34].
2
Our approach is inspired by current approaches to digitizing Classical texts [15] [13].
3
Document-centric XML is the type of documents “written by hand, by an author” like a letter or chapter. Data-centric
XML is used to transport data between computers [30].
2 Problems with Manual Certificate Policy Processes
Certificate p olicy defines the trustworthiness of a CA and therefore is funda-
mental to the trust one places in a PKI. This section discusses three real-world
X.509 processes which directly use certificate policy: PKI compliance audits,
IGTF accreditation, and policy mapping for bridging PKIs. In each case, we’ll
describe the process in principle and its importance to the trustworthiness of a
PKI. Then we’ll describe how the current implementation of this process limits
trustworthiness and motivate the need for consistent operations on certificate
policies.
PKI Compliance Audits Like accreditation processes, PKI audits verify
that the certificate policies and certification practice statements are consistent
with a “framework of requirements.” In the financial services industry, ISO 21188
specifies such a framework that evolved from WebTrust and ANSI X9.79 [25].
Audits for WebTrust compliance should occur at least every 6 months [18]. Dur-
ing these audits, PKIs are evaluated with respect to five objectives: security,
availability, processing integrity, confidentiality, and privacy. Each of these objec-
tives are defined using principles, “broad statements of objectives,” and criteria,
“benchmarks that should be objective, measurable, complete, and relevant” [35].
Through Assurance Services, a Certified Public Accountant (CPA) may express
a WebTrust opinion on whether an objective is met. By keeping objective obser-
vations separate from opinion, WebTrust audits are an important and objective
process for certifying that actual practice reflects written policy. Additionally,
the International Collaborative Identity Management Forum (ICIDM) and Four
Bridges Forum (4BF) [1] are working to define a standard PKI audit process.
The IGTF also publishes a set of auditing guidelines [33].
Frequency Compliance audits are expensive in time and money, and lim-
ited by the bottleneck of human observation. Although compliance audits like
WebTrust are suppose d to occur at least every 6 months, in actual practice
they usually happen less often. Even when these audits occur on schedule, au-
ditors’ observations only sample a glimpse of much larger, continuous business
processes. By necessity, PKI audits require human intervention; expressing an
opinion based upon observed criteria requires human judgement. However, the
criteria themselves, measureable and objective by definition, do not require hu-
man judgement to measure.
Transparency Current auditing schemes lack transparency. Users cannot
evaluate an organization’s observed behavior in terms of their own trust require-
ments. Instead users implicitly delegate trust decisions to a CPA or other audit
professional. Furthermore, because ISO 21188 and ANSI X9.79 are not freely
available, the average user has no way of knowing the trust decisions being del-
egated.
4
These institutional and economic walls ensure that trust evaluation
resides at the organizational level in spite of trust’s personal nature. Through
combining documentation with computational methods, measurements of trust
4
Anecdotally, we believe the costs of ISO 21188 and ANSI X9.79 may discourage organizations from following
these standards in actual practice.
criteria could be made accessible to users to individually decide the degree of
trust they place in an organization.
Reproducibility Compliance audits, as currently practiced, are difficult to
reproduce because they are so dependant upon auditors’ individual observations.
Certainly audits attest to an organization’s trustworthiness at the time of the
last audit; however they say nothing about the current state of the organization.
Were an auditor to try to reproduce an audit, the conditions under which the
original audit occurred may be extremely difficult or impossible to reproduce
because organizations are dynamic, changing entities. Audits rely upon the past
as the sole indicator of current and future performance.
IGTF Accreditation Researchers using computational grids employ many
thousands of distributed nodes to solve complex computational problems by
sharing resources. Grids often group users under very large Virtual Organizations
(VOs) which usually reflect real-world collaborations between researchers and
institutions. Computational power, data storage, and network bandwidth all
must be shared between members of a VO. Since these resources are valuable,
access is limited based on the requested resource and the user’s identity. Each
grid must enforce these limits by providing secure authentication of users and
applications. Unauthorized access to resources is unacceptable, especially given
the large size of a VO [29]. The IGTF use s X.509 PKI to ensure that grid
authentication mechanisms meet a defined level of assurance.
A distributed architecture like the grid requires compatible, non-contradictory
policies among member organizations. An IGTF-accredited member should is-
sue policy consistent with all other members, and thereby satisfy the IGTF’s
standard for trust. The purpose of the IGTF is to “harmonize the work on au-
thentication for e-Science production infrastructures.”[21] It accomplishes this
by establishing common p olicie s and guidelines between PMAs as well as ensur-
ing compliance to the resulting Federation Document amongst the participating
PMAs. Currently, the IGTF maintains a set of authentication profiles (AP)
which specify the policy and technical requirements. During accreditation the
prospective member sends the Certificate Policy (CP) around to other members
for comments and asks multiple PMA members to review it in detail. Eventu-
ally this CP, along with recommendations from the reviewers, is presented at
the PMA meeting for immediate approval or deferral.
The IGTF defines accreditation in terms of manual procedures, institution-
alizing bottlenecks that might be eliminated through technology. Accreditation
should be defined in terms of functional requirements, not in terms of a particular
implementation of those functions.
Frequency The IGTF’s requirement that any change in policy requires reac-
creditation may penalize organizations that change policy to reflect actual prac-
tice. Since organizational practices change rapidly and policies should reflect
practice, policies need to be able to change rapidly to mirror the actual orga-
nization. So as not to penalize organizations for reporting their actual prac-
tices, reaccreditation should be defined to accommodate frequent organizational