Public key cryptography supports security services such as confidentiality (ensuring the secrecy and privacy of data through cryptographic encryption mechanisms), integrity (ensuring that data cannot be corrupted or modified and transactions cannot be altered), authentication (verifying the identity of entities) and non-repudiation (ensuring that the data cannot be renounced or a transaction denied), and a public key infrastructure (PKI) provides a foundation to implement and manage the security services supported by public key cryptography. The purpose of a PKI framework is to enable and support the secured exchange of data, credentials, and value (such as monetary instruments) in various environments that are typically insecure, such as the Internet.
The framework of a PKI consists of security and operational policies, security services, and operational protocols supporting the use of public-key cryptography through the management of cryptographic keys and certificates. The generation, distribution, and management of public keys and associated certificates occur in a PKI through the use of Certificate Authorities (CAs) and optionally Registration Authorities (RAs) and directory services, which can be used to establish a hierarchy or chain of trust. This is one of the primary principles of a PKI.
The concept of trust, relative to a PKI, can be explained by the role of a CA. In an insecure environment, entities unknown to each other do not have sufficient trust established between them to exchange secure data and perform transactions. More particularly, in public key cryptography, a user has a pair of cryptographic keys, a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Messages are encrypted by the transmitter of the message with the intended recipient's public key and can only be decrypted with the intended recipient's corresponding private key. A central problem for use of public-key cryptography is confidence or assurance that a public key is correct, belongs to the person or entity claimed (i.e., is ‘authentic’), and has not been tampered with or replaced by a malicious third party.
The implementation of a PKI using one or more CAs provides this trust. A CA allows for the implementation of digital certificates that can be used to identify different entities (e.g., individuals, groups, machines, etc.). More specifically, entities that are unknown to each other each individually establish a trust relationship with a CA. The CA (and optionally an RA) performs some level of authentication, according to established rules as noted in its Certificate Practices Statement or CPS, and then issues an entity a digital certificate certifying ownership of key pairs. That certificate is digitally signed by the CA and thus vouches for the identity of the entity; and the certificate is, typically, a message that includes, but is not limited to a name or identifies the certificate authority, identifies the end-entity, contains the end-entity's public key, identifies the certificate's operational period, contains a certificate serial number, and is digitally signed by the certificate authority. Unknown entities can now use their certificates to establish trust between them because they trust the CA to have performed an appropriate entity authentication, and the CA's signing of the certificate attests to this fact.
Certificates are managed (e.g., issued, renewed, or revoked) in response to a Certificate Service Request (CSR) sent by an entity. The CA (optionally in combination with a RA) determines whether to generate, renew, or revoke a certificate in response to a CSR. Large PKI systems have many Administrative Domains (ADs) each comprising a CA or a set of CAs and one or more RAs, Lightweight Directory Access Protocol (LDAP) directories, databases, and security and administrative staff that cater to the needs of one or more user communities (e.g., organizations, departments, etc.). A problem then becomes how to efficiently route CSRs through such large PKI systems to reach the appropriate CA to process the CSR.
Therefore, what is needed is a mechanism to route a CSR to an appropriate CA in a PKI system that includes a plurality administrative domains and a plurality of CAs that service those administrative domains by processing CSRs for requesting entities.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help improve understanding of various. In addition, the description and drawings do not necessarily require the order illustrated. It will be further appreciated that certain actions and/or steps may be described or depicted in a particular order of occurrence while those skilled in the art will understand that such specificity with respect to sequence is not actually required.
Apparatus and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the various embodiments so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein. Thus, it will be appreciated that for simplicity and clarity of illustration, common and well-understood elements that are useful or necessary in a commercially feasible embodiment may not be depicted in order to facilitate a less obstructed view of these various embodiments.