A computational framework for certificate policy operations
Summary (3 min read)
1 Introduction
- The fundamental purpose of PKI is to allow relying parties to trust users based upon a set of credentials the user has proven they have control over.
- Federations and bridges ensure that the requirements for trust are met through such audits, whether for accreditation or cross-certification respectively.
- This section presents their contributions in the context of previous work on the identification, representation, and manipulation of certificate policies.
- CTS-URNs enable the tools the authors built to compute with respect to a policy's reference structure, identifying individual security provisions 1 or the document in its entirety.
- Algorithms are unambiguous and when their implementations are open-source, the underlying process is transparent to the user.
2 Problems with Manual Certificate Policy Processes
- This section discusses three real-world X.509 processes which directly use certificate policy: PKI compliance audits, IGTF accreditation, and policy mapping for bridging PKIs.
- Reproducibility Compliance audits, as currently practiced, are difficult to reproduce because they are so dependant upon auditors' individual observations.
- The IGTF uses X.509 PKI to ensure that grid authentication mechanisms meet a defined level of assurance.
- Since organizational practices change rapidly and policies should reflect practice, policies need to be able to change rapidly to mirror the actual organization.
- As such, diligent organizations keeping their policy statement up to date pose a challenge to bridge CAs who must manually map a member CP into their own.
3 Computational Tools: Design and Implementation
- The authors designed and implemented the PKI Policy Repository, PolicyBuilder, and PolicyReporter to improve the efficiency and consistency of policy retrieval, creation, and comparison.
- Each of these tools rests upon their formalization of certificate policy: the authors identify and reference policy via CTS-URNs and represent policy in TEI-XML.
- Each tool fully or partially automates one or more of the policy operations and improves their frequency, transparency, and reproducibility.
- These tools will be released in an open source distribution following publication.
- The authors then present each of their solutions in the context of current actual practice and prior research on policy formalization.
PKI Policy Repository
- The PKI Policy Repository stores certificate policies for retrieval by their reference structure.
- PKI audits, accreditation, and policy mapping depend upon the reference, and retrieval of certificate policies and yet little work has been done to automate or partially automate these fundamental processes.
- Reference Certificate policies are reference works by design.
- Policy comparison proceeds much more quickly between two policies sharing the same reference structure.
- In actual practice, people are interested in referencing meaningful sets of security requirements.
CTS-URN OID
- Trcek et al.'s DNS-like system used machineactionable, human-readable references to security policy domains, allowing one to reference meaningful sets of security requirements [34] .
- Using OID-encoded CTS-URNs allow multiple versions of a policy, whether plain text, XML, or code to be uniformly referenced through a parallel citation scheme.
- For digital editions of reference works, the authors claim that page numbers are an unnecessary artifact of print.
- The PolicyBuilder fills the need for machine-assisted policy creation while facilitating the review and evaluation of newly-created policies.
- Policy content currently includes assertions, or security requirements qualified by MUST, SHOULD, or other adjectives from RFC 2119.
PolicyReporter
- The PolicyReporter helps users obtain more, higherquality information useful for comparing certificate policies.
- For a person with a lot of experience, this can take 80-120 hours depending upon the reference structure of the policies compared.
- For it allows a standard set of analyses for comparing CPs to develop.
- The PolicyReporter aggregates information about a set of policy provisions (the criteria for comparison) into a report by walking the citation structure 7 of each text.
- The generated RFC 3647 policy can then be loaded into the PKI Policy Repository and used like any other document.
4 Evaluation
- This section demonstrates that their tools, in particular the PolicyReporter, actually address current limitations of compliance audits, IGTF accreditation, and policy mapping.
- The authors experimental evaluations compare the duration of two common certificate policy operations when performed manually and when using their PolicyReporter.
- In the automated case, the authors timed the steps necessary to generate a report using the SourceTextAnalysis and RFC2119Analysis and to view each of the sections in that report.
- The authors have experimentally demonstrated that the PolicyReporter does make CP comparison more efficient and consistent.
- The authors used the mapping defined in RFC 3647 and in three time trials the PolicyReporter enabled us to complete the mapping in 50, 39, and 35 seconds respectively.
7 Conclusions
- To conclude, their PKI Policy Repository, PolicyBuilder, and PolicyReporter make real-world CP operations more efficient and consistent.
- The authors have empirically demonstrated their utility in aggregating information for policy comparison and policy mapping, two common tasks performed in compliance audits, grid accreditation, and bridging PKIs.
- The authors tools streamline these processes, making them more efficient and provide auditors with more, higher quality information.
- The authors tools allow people to to specify a set of provisions that mimic how they actually make trust decisions.
- While the authors hope that their tools will reduce the costs associated with creating and maintaining a PKI, more importantly they hope to empower to make their own trust decisions through a usable policy framework.
Did you find this useful? Give us your feedback
Citations
26 citations
Cites background from "A computational framework for certi..."
...Obviously, these two opinions carry some conflict as they cannot both be correct at the same time....
[...]
11 citations
11 citations
9 citations
7 citations
References
3,501 citations
"A computational framework for certi..." refers background in this paper
...RFC 2119 Analysis The RFC2119Analyzer counts the number of occurrences of words in one of three categories defined in RFC 2119 [4] to indicate the significance of a requirement....
[...]
2,247 citations
"A computational framework for certi..." refers background in this paper
...Blaze [3], Mendes [26], and Grimm [19] all use ASN....
[...]
...One exception is PolicyMaker which allows one to query policy actions using a database-like syntax [3]....
[...]
861 citations
"A computational framework for certi..." refers background or methods in this paper
...Representation We encode certificate policies using Text Encoding Initiative (TEI) P5 Lite, an XML standard for representing texts in digital form [5]....
[...]
...TEI P5 [5] represents 15 years of research in encoding texts with XML....
[...]
268 citations
246 citations
Related Papers (5)
Frequently Asked Questions (9)
Q2. What future works have the authors mentioned in the paper "A computational framework for certificate policy operations" ?
In future work, the authors plan to package their tools for release in an open source distribution hosted at OpenCA Research Labs [ 28 ]. Most urgently the authors need to extend the automated policy mapping to include all security provisions, not just policy units in Section 1. Their first experiment also revealed the need to extend the tools to resolve references to other sections of text that occur within a policy statement. Given that high-level policy statements can be mapped into software, the authors also plan to investigate how they might be explictly mapped into hardware.
Q3. How many time trials did the authors perform to control for variables?
The authors performed ten time trials to control for variables which could affect the time necessary to collect the information specified by the evaluation criteria9.
Q4. What does the IGTF do to ensure that the requirements for trust are met?
Federations and bridges ensure that the requirements for trust are met through such audits, whether for accreditation or cross-certification respectively.
Q5. What is the speed of comparing policy?
trials 8, 9, and 10 in the timing data reveals that the speed of consolidating information for policy reviews depends less on the number of unit policies to compare and more upon the proximity of those passages to one another in the text.
Q6. What is the contribution of the policy?
Their contribution is a policy representation that humans can use as a primary source for informed policy decisions and which computers can process.
Q7. What is the way to extract the content from a certificate policy?
Extracting the content from CP sections8 pertaining to issuing new certificates (RFC 3647, Section 3.1), revocation requests (3.4), certificate issuance (4.3), and certificate7 The FPKIPA recommends all members use 3647 format for all cross-certified CPs [2].
Q8. How long did the policy reporter take to complete the mapping?
The authors used the mapping defined in RFC 3647 and in three time trials the PolicyReporter enabled us to complete the mapping in 50, 39, and 35 seconds respectively.
Q9. What is the common method of retrieving a policy?
Retrieval Retrieving referenced sections of security policy traditionally involves turning printed pages or scrolling through a PDF.