Efficient and fresh certification

Abstract

Electronic commerce is becoming more and more commonplace, but security is still a major concern. To provide security, a good public-key infrastructure (PKI) is needed. However, PKIs have been slow in developing, with one of the major difficulties being the creation of certification authorities (CAs), and in particular, dealing with the problem of certificate revocation. We propose a new solution to this problem. Our solution is based on the idea that individually signed certificates provide little information over any significant time period, given that they may be revoked. That is, after a certain amount of time, a certificate is not useful without some more recent knowledge that it has not been revoked. In all previous work, this has either been handled by off-line/on-line schemes, which require costly updates by the CA for every outstanding certificate for every update period, or by certificate revocation lists/trees. We propose a system called EFECT (Easy Fast Efficient Certification Technique), which combines the best properties of individual certificates and certificate revocation trees. We show that EFECT allows CAs to be more secure, even while providing more frequent freshness updates for certificates, and making certification verification extremely lightweight. We compare EFECT to previously proposed systems, including traditional X.509 certificates and Certificate Revocation Lists (CRLs), SDSI/SPKI, Micali's Certificate Revocation System (CRS), Kocher's Certificate Revocation Trees (CRTs), and Naor and Nissim's 2-3 Certificate Revocation Trees (23CRTs). Finally, we discuss some novel qualities of EFECT that no previous solution possesses.