Technique to improve revocation mechanism and enhancement of CA's services

Abstract

Public Key Cryptography [PKC] is becoming popular in the world of security because of its promising features like authentication and non-repudiation along with integrity and data confidentiality. It has been possible to achieve an electronic equivalent of hand written signatures that are considered to be the most common method of providing identity proof in a non-electronic world, thanks to PKC techniques. Public Key Infrastructure [PKI] is a technology that supports PKC to achieve its intended services by implementing PKC concepts. It is considered to be one of the potential technologies for the future of e-business and e-governance. Digital certificates are one of the most important components of PKI. They are issued and signed by a trusted third party named Certification Authority to provide trust worthy binding between the entity and its public key, thus, they impute trust in the public key of a claimant. The certificate has predefined validity period after which they expire. But sometimes during its valid lifetime due to certain events, the certificate doesn't remain valid. A need arises to declare its invalidity implying withdrawal of trust that was imputed in it at the time of issuance. This event is called 'revocation' of the certificate. The information regarding this event of revocation has to propagate to the entire community that might use the certificate in question for its important transaction. 'Certificate Revocation' is one of the key issues in PKI because security of any transaction relies on the validity of the certificate used in it. Hence, the status of these certificates in terms of 'valid' / 'non- valid' becomes important information to be processed, conveyed, acquired, and managed securely. There are many mechanisms proposed for the certificate revocation information distribution.

My primary concern is to focus on some of these mechanisms and to provide some solution for this problem. I've proposed a method named "Staggered CRLs". It uses delta CRLs and shows how a CA can avoid generation of signature over the voluminous CRL and still can provide more timely information than the traditional CRL. CRLs are issued along with delta CRLs with 'slight' modification. The method avoids prefixing of next update time of CRL and makes it dynamic based on some other criteria. It provides more timely information at lesser frequency of CRL. My second proposal is about how a CA can enhance its services to the user community. I suggest to go beyond merely providing revocation information about the certificate and to add more value to the CA services by providing further information about the certificates.