A study on certificates in PKI

Abstract

The Public Key Infrastructure (PKI) and Wireless PKI(WPKI) are essential to many kinds of electronic businesses through the Internet. A certificate and related mechanism such as the Certificate Revocation List (CRL), and the certificate path validation are important components in PKI and WPKI. However, because a certificate does not contain its full path, a verifier must check the certificate revocation status and perform the certificate path validation, step by step. Even though a verifier finished to check the certificate revocation status and perform the certificate path validation, a verifier can only know the probabilistic answer about thaget certificate, because a CRL is published in every periodic time. In this thesis, we will propose two schemes. One is a new approach of X.509v3 certificate for full path validation. Using our proposal scheme, we can reduce the time complexity of the certificate path validation from $\emph{O(n)}$ to $\emph{O(n)}$, when $\emph{n}$ is the size of the certificate full path. In addition, using our proposed scheme, we will show an application, the Online Certificate Verification Protocol(OCVP), which requires neither the CRL mechanism nor a new trusted server. With respect to the computational load, the loads in OCVP is $\emph{2n}$ which the same in the Simple Certificate Validation Protocol (SVCP). However, SCVP uses the CRL mechanism and a new trusted server, and gives us a probabilistic answer. But, OCVP uses all CAs who are located on the certification full path and gives us an exact answer. The other can be considered as one of alternatives for CRL, a CA live list (write CAL). The point of our proposed concept is that for CA``s certificate we manage a live list in the place of a revoked list. In the ordinary case, we must check the certificate revocation status and perform the certificate path validation. However, using CAL, we only check the CA live status. Therefore, in the certificate path validation, we reduce...