CS5430 Homework 4: Certification Authorities

General Instructions. You are expected to work alone on this assignment.

Due: March 5, 2020 at 11:59pm. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .pdf, as follows:


Your employer --- PKI Enterprises --- has decided to develop and market PKIkit, which allows an enterprise to design and configure a distributed certification authority service that stores public keys for some set PrinNames of names.

The basic building block of PKIkit is a CA-server that PKI Enterprises will sell. It is a stand-along computer that connects to a network. A CA-server named (say) CredServ_i is provisioned with

A distributed certification authority service named DCAS that handles key bindings from principal names in PrinNames is configured by defining a set AllNames of names and defining a directed graph DCAS = ( Servers , Links ) satisfying:

Execution of a CA-server CredServ_i is a loop. Each iteration reads a look-up request message and generates a look-up response message.


Problem 1. Suppose we make the following assumptions:

(a) Give the protocol that a client cl_0 would use when starting from CA server CredServ_n to obtain a candidate certificate for a given principal A. Assume CredServ_n is an element of Servers.

(b) Describe how that client can decide whether it should trust a candidate certificate that it obtains from running the protocol given for 1(a).


Problem 2. The PKI Enterprises marketing team has decided to support a restricted form of hierarchical names like what is found in the Internet. Specifically, names that must be supported are variable-length finite lists /N1/N2/.../Ni where: (i) the length of the list is at most 5 and (ii) elements used to build the list come from some set LocalNames. The marketing team has further requested that no changes be made to the client-side protocol you gave above for 1(a). You may, however, choose names for the CA-servers, the contents of set PrinsNames, the contents of set AllNames and graph DCAS. (Hint: Don't feel restricted to using names like CredServ_i for CA-servers.)

(a) Give the set of names that PrinNames will include.

(b) Give any additional names that AllNames will include.

(c) Describe the structure of graph DCAS. Explain the rule you used for having an edge from one CA-server to another.

(d) What contents is required for the database stored by each CA-server.