Storage and retrieval of SPKI certificates using the DNS
Tero Hasu
Helsinki University of Technology,
Department of Computer Science and Engineering,
Telecommunications Software and Multimedia Laboratory
FIN–02015 HUT, Espoo, Finland
Abstract
Simple Public Key Infrastructure (SPKI) certificates can be used to represent trust and policy information in a manner that allows the authenticity and the integrity of the information to be verified. These properties make SPKI certificates useful when maintaining information and system security. The reliability of a distributed system whose security management is based on certificates may entirely depend on the availability of certificates. Clearly, such a system could benefit from having a distributed, fault-tolerant certificate repository that supports flexible administration of certificate data. The SPKI specification does not define one, however.
The Domain Name System (DNS) is a distributed database that is mainly used to provide a naming service for the Internet. It can, however, be adopted for other uses as well, by adding support for new data types to name servers and resolvers.
This thesis presents a detailed description of how the DNS can be used as an SPKI certificate repository. Existing knowledge is utilized when available, and new solutions are suggested as necessary. Among other things, the naming practice of SPKI certificates is addressed, and a scheme that offers support for two-way graph search algorithms is described. Such algorithms have previously been found to be efficient when acquiring proof of authorization from distributed databases in the form of certificate chains. Evaluation of the suitability of the DNS as a certificate repository is also given in this work.
Some of the certificate storage theory was refined and applied to practice as the author implemented a DNS resolver with certificate support, and used it to retrieve SPKI certificates from the DNS. The resolver was implemented using JaCoB, a framework for cryptographic protocols. The interface and the high-level structure of the implementation are described in this thesis.
BibTeX
@mastersthesis{Hasu99, author = "Tero Hasu", title = "Storage and retrieval of {SPKI} certificates using the {DNS}", school = "Helsinki University of Technology", month = Apr, year = 1999 }