Vishwa Prasad, Sreenivasa Potakamuri, Michael Ahern, Igor Balabine & Michah Lerner
AT&T LAbs
USA

This paper describes a flexible and general purpose PKI component providing an easily interoperable security infrastructure. Developed at AT&T Labs, the architecture is part of the UCAID/Internet2 efforts in PKI and scalable security. The architecture can host multiple certificate authorities (CAs) from different vendors in a uniform and scalable manner. This facilitates scalable operation with third-party CA systems, and may also find utility with multi-provider services. The component acts as a CA distributor driven by uniform enrollment procedures based on vendor independent PKI policies. The design of seamless integration facilitates easy integration with third party CA services such as Verisign. The architecture adapts software components into a framework for secure, authenticated IP services over the open Internet or within internal intranets. Policy descriptions, written in XML, support explicit controls upon certificate sources and contents. These XML-encoded policies define issuance and acceptance of X.509v3 certificates from multiple CAs supporting the "obligations and warrantees -- even if the policy is neither recorded anywhere nor referenced in the certificate" [1][2]. The PKI component has been developed within a general middleware platform [6].

Read Paper (in PDF)