Policy-directed certificate retrieval

Carl A. Gunter, Trevor Jim

Research output: Contribution to journalArticlepeer-review


Any large scale security architecture that uses certificates to provide security in a distributed system will need some automated support for moving certificates around in the network. We believe that for efficiency, this automated support should be tied closely to the consumer of the certificates: the policy verifier. As a proof of concept, we have built QCM, a prototype policy language and verifier that can direct a retrieval mechanism to obtain certificates from the network. Like previous verifiers, QCM takes a policy and certificates supplied by a requester and determines whether the policy is satisfied. Unlike previous verifiers, QCM can take further action if the policy is not satisfied: QCM can examine the policy to decide what certificates might help satisfy it and obtain them from remote servers on behalf of the requester. This takes place automatically, without intervention by the requester; there is no additional burden placed on the requester or the policy writer for the retrieval service we provide. We present examples that show how our technique greatly simplifies certificate-based secure applications ranging from key distribution to ratings systems, and that QCM policies are simple to write. We describe our implementation, and illustrate the operation of the prototype.

Original languageEnglish (US)
Pages (from-to)1609-1640
Number of pages32
JournalSoftware - Practice and Experience
Issue number15
StatePublished - Dec 2000
Externally publishedYes

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Policy-directed certificate retrieval'. Together they form a unique fingerprint.

Cite this