|
1st Annual PKI Research Workshop: Work-in-Progress Session
|
www.cs.dartmouth.edu/~pki02/wip.shtml
Last modified: 07/29/02 09:43:51 PM
|
Summary by Ben
Chinowsky, Internet2
Peter Honeyman, of the Center for Information Technology
Integration at the University of Michigan, hosted a work-in-progress
session on the evening of April 24.
Carl Ellison and Peter Alterman focused on details of work presented
more fully in the conference proper.
-
Ellison discussed Brewer's CAP postulate and its applications to cert
validation. The CAP postulate states that a digital system design can
achieve any two of {Consistency, Availability, tolerance of network
Partitions}, but not all three.
-
Alterman discussed the need for a bridge-to-bridge protocol for the
emerging multiple-bridge infrastructure. Among other things, such a
protocol must be able to cope with naming conflicts and transitive
trust. A variety of topologies are possible: peer-to-peer, mesh, a
forest of hierarchies, or a single rooted hierarchy.
Workshop chair Sean Smith gave an overview of projects currently
underway at the Dartmouth PKI Lab; see www.cs.dartmouth.edu/~pkilab/
for more information.
Burt Covnot, Mark Earnest, and Allison Mankin presented work not
covered in the workshop plenary sessions.
- Covnot, of Bank of America, explored "the care and feeding of
identity certificates and attribute certificates." Should customers be
issued multiple identity certificates, or should their already-issued
identity certificates be extended into broader services? Similarly,
do multiple attribute certificates help or hinder deployment of
security technologies? When certificates expire, should new keys be
generated, or should an existing private key be recertified?
- Earnest recounted Penn State's experiences with DCE, drawing
parallels with the challenges of PKI. Penn State plans to make use of
both KX.509 and Shibboleth in its PKI migration.
- Mankin gave an update on work on DNS security. The IETF DNSSEC
working group has determined that narrowly restricting the use of keys
among services minimizes problems with trust transitivity. Other
protocol designs being engineered attempt to reduce the complexity of
client implementations. After years of technical and political work,
the major players appear close to actually deploying DNSSEC.
