ADoCSI: Towards an Alternative Mechanism for Disseminating Certificate Status Information
John ILIADIS 1,2, Stefanos GRITZALIS1,2, Dimitris GRITZALIS3, Sokratis KATSIKAS 1
1 Dept. of Information & Communication Systems, University of the Aegean
30 Voulgaroktonou St., Athens GR-11472, Greece
2 Department of Informatics, Technological Educational Institute (T.E.I.) of Athens,
Ag.Spiridonos St., Aegaleo, GR-12243, GREECE
3 Dept. of Informatics, Athens University of Economics & Business
76 Patission St., Athens GR-10434, Greece
Certificate, Certificate Revocation, Certificate Status, Certificate Revocation List, Agents.
The banking sector has been using electronic transactions at a satisfactory functional and security level for quite a while. Security-aware and capable service providers (i.e. the banks) have been providing their customers with electronic services, and the latter have been used to following simple security guidelines, like keeping magnetic stripe cards at a safe place, keeping PIN codes secret etc. The explosion of Internet usage and the emergence of e commerce and e business introduced a whole new modus operandi regarding electronic transactions:
transacting entities do not belong in a closed, controlled group (like bank customers and banks),
transactions do not occur within private networks (such as the banking network or other private, corporate networks); instead, public, unsafe and uncontrolled networks are used,
a dynamic, constantly increasing, group of entities has the capability to offer services over these public networks; these entities do not always have the capability to perform detailed analyses of the security requirements concerning the services they provide,
users do not necessarily comprehend the underlying complexity of the transaction systems they use; most of them are not sensitive or cautious enough when it comes to security decisions [Spruit98].
What banks have accomplished through Automatic Teller Machines and EFT/POS?? machines is to provide their clients with a communication medium the latter consider to be a trusted path of communication with their bank. The uniformity of ATMs globally and they fact that users are not required to comprehend the underlying security infrastructure probably contributed to them being so succesful.
Cardholders use their cards in merchants’ EFT/POS bank provided machines, and the latter communicate with the Acquirer Bank which, in turn, communicates with the Issuer Bank in order to check revocation status of the card and authorise the transaction. The communication between EFT/POS and Acquirer Bank and the communication between the Acquirer Bank and the Issuer Bank is transparent to the merchant and the cardholder. The cardholder needs only to know its own PIN code, while the merchant needs to know nothing at all on the verification process. Therefore, the security measures protecting the transaction are transparent both to the cardholder and to the dependent entity, i.e. the merchant.
Service providers in the Internet have been using PKI lately, in more or less the same way. Certificates and CAs have been used as a means to construct a trusted path of communication between client and service provider. So far, it seems to go well. However, what has not been accomplished yet is to hide the complexity of the underlying security infrastructure put in place, in communication between the users of a service and the service provider.
Users –in the Internet– have to comprehend the mechanics of using digital certificates as a means to authenticate. In particular, dependent entities have to verify themselves the revocation status of certificates they are presented with. Mechanisms have been deployed in order to facilitate or automate verification of a certificate’s status. Certificates themselves may include fields with URLs pointing to Certificate Revocation Lists (e.g. distributionPointsCrl???) or to Online Certificate Status Protocol responders [OCSP, ??]. Software that makes security decisions based on presented certificates has been developed to use those URLs in order to retrieve revocation information and do the verification by itself, if it is properly configured.
Entities transacting over the Internet, both dependent ones and certificate holders, are rarely security experts. One should not demand from them understanding of the security measures put in place in order to protect their transactions. Neither the certificate holders (authenticating entities or signers) nor the dependent entities should have to contribute manually to the location and validation of Certificate Status Information (CSI). That shouldn’t be the job of certificate holders or dependent entities, as it is not the job of real world merchants to locate or validate credit card revocation information.
Certainly, one could argue that it should be the responsibility of certificate holders to provide dependent entities with the most current CSI [Rivest98]. Rivest also claims that it should be the responsibility of the dependent entities to set the requirements CSI they are presented with has to meet. Although entities that offer services over the Internet can very well be security aware, much more than the certificate holder on an average, that does not make them security experts. Furthermore, dependent entities as well as certificate holders are usually not so knowledgeable, motivated and perceptive [Spruit98] regarding security controls. They don’t always follow good security practice. Therefore, certificate holders and dependent entities are bound to make security mistakes or overlooks, consciously or unconsciously, leading to direct or indirect failing. Human failing is in many cases the reason for the malfunction of a security mechanism, the incorrect use of a security service or a security breach [Spruit96]
Furthermore, PKI users sometimes have to make security decisions in order to facilitate certificate path validation. The number of questions has to be restricted and the way they are posed has to be studied carefully, otherwise security layer transparency will cease to exist and users may fall back to a position where they should strive to understand the mechanics of CSI mechanisms. This often leads computer users to direct or indirect failing [Spruit98] or ‘authorisation fatigue’.
If we want to make sure PKI users receive complete and timely CSI concerning the transactions they perform, we have to assign the responsibility for CSI location and validation to Certification Authorities, in analogy to the banking sector paradigm.
PKI seems to be gaining users’ confidence; however, PKI enabled services are not yet security transparent enough. Users do not always comprehend the complexities of security mechanisms, and they should not be obliged to, after all. Transparency of security mechanisms is a solution to these problems. However, a transparent mechanism for the dissemination of CSI must not lack the security features provided by the other non transparent mechanisms. We claim an agent based mechanism could meet those requirements. An agent based mechanism responsible for locating and validating CSI, leveraging this burden from dependent entities and certificate holders.
In this paper, we present the prototype of an alternative mechanism for disseminating certificate status information, which we call ADoCSI (Alternative mechanism for the Dissemination Of Certificate Status Information [Iliad99]. Our mechanism is based on Software Agents [??], and its use promotes security transparency in PKI enabled services over the Internet.
This paper is organized as follows: In section 2 we present a short overview of Software Agents. In section 3, we introduce our mechanism, ADoCSI. Section 4 contains our thoughts for future work on the mechanism, while in section 5 we draw our final conclusions.
Agents have recently been (and still are) a major research topic, both for the academia and for the industry, for various reasons [Petrie97]. The researchers, trying to define accurately their view and specifications of Agents, came up with a variety of alternative names or adjectives. A short review of those follows [Nwana96], [Chess95]:
Static. Agents that do not transport themselves to execution environments other than the one they were originally. They remain at that execution environment and use other methods in order to communicate with other agents, such as RPC,
Mobile. These agents can transport themselves to other execution environments in order to communicate locally with other agents and at the same time they can preserve the external state they had in the previous location,
Deliberative. Agents that contain internal reasoning and collaborate with other agents in order to achieve their goals,
Autonomous. Agents that have states and goals and do not need user feedback or interaction (except perhaps an initial user feedback) in order to carry out their tasks and reach their goals,
Co-operative. Agents that co operate with other agents in order to reach their goals,
Interface (also called User). Agents that sit between another agent and a user. The user communicates with the interface agent only, and the latter transforms the user’s goals into formal statements and procedures and assigns those to the other agents; the interface agent launches agents on behalf of the user, co-ordinates them and provides the results of their work back to the user,
Heterogeneous. Agents that encompass several of the characteristics of the other agents and can talk to other agents through the use of a standard agent communication language, thus providing for interoperability between agents.
This wide spectrum of names result in semantic overlap and confusion. Furthermore, since there were no criteria for ‘agenthood’, some researchers came up with software constructs which they called Agents, even though they did not have any of the functionality that characterises Agents [Petrie97]. Genesereth [Gene94] argues that the criterion for ‘agenthood’ is a behavioural one; a software application is an agent if and only if it communicates with other software applications, using an Agent Communication Language (ACL). According to Genesereth, typical object oriented applications cannot be characterised as agents since the messages exchanged between the objects may have different semantics when exchanged between different objects. On the contrary, the semantics of a language construct in an ACL is always the same, no matter which two agents is it that this message is being exchanged between. There are many criteria one can use in order to develop a taxonomy of Agents. However, the lack of a widely accepted standard practice which could act as a reference point, renders these taxonomies rather inaccurate or at least not in accordance with other ones.
We should clarify at this point that in this paper we are not interested in any Artificial Intelligence properties Agents may have. We are only interested in the distributed functionality they offer, since we can use that in order to meet some of the CSI dissemination criteria [Iliad00b] that other CSI dissemination mechanisms do not meet. The agents we describe in this document are mobile, deliberative, heterogeneous and (some of them) interface agents. However, since we are not interested in establishing a new name for the agents we discuss, we will be referring to them simply as Agents or CSI Agents. We would like to warn the reader that the term CSI Agents does not constitute a new flavour of Agents. We will use it as a reference name to the mechanics of our Agent construct throughout this document. The agents we will describe must use a standard way of talking to each other. One of the examples of languages used by agents to communicate is the Knowledge Query and Manipulation Language (KQML) [Lamb97], [KQML], which describes programmatic content and the Knowledge Interchange Format (KIF) [Gene92b], [Chess95] which can be used to form knowledge representations, express tasks and goals. Another example is the more recent Agent Communication Language (ACL) of the Foundation for Intelligent Physical Agents (FIPA) [FIPA98b???more recent??]. The advantage of using such a language for agent communication instead of messages with proprietary content format is that it will be possible for the agents involved in our scheme to be updated transparently by their owners or developers, without affecting the interoperability or agent inter-communication. CSI Agents could expire, and their owners or developers will have to (transparently) replace them with new ones at that time (see section 3.5). These actions are not going to affect the operation of our scheme, since the communication between agents will remain the same, being based on one of the aforementioned agent communication languages.
The agents we will present must meet the following requirements:
they must be able to suspend execution and resume it at another execution environment,
they must retain their state, when transporting themselves to other execution environments,
they must be able to create child agents and deploy them,
they must be able to select a network location, out of a list of locations, with the least network congestion,
they must be able to communicate the retrieved information back to their owner or to their owner’s application that spawned the agent.
We should note here that we are not going to examine the mechanics of the implementations of Agent infrastructures. Implementations exist [Frost96], [Aglets], [Odyssey] that meet the requirements set in this section, as far as Agent design and operation is concerned.
In this section we present the prototype of an alternative mechanism for disseminating CSI. We shall be calling this mechanism ADoCSI (Alternative Dissemination Of Certificate Status Information). The Agents described in this mechanism exchange CSI, in one (or more) of the formats described in [Iliad00a]. This mechanism makes extensive use of the properties and functionality of the CSI mechanisms presented in [Iliad00a], and provides at least one additional feature: the transparency in disseminating CSI [Iliad00b].
Let us consider the entities that take part in our mechanism (Figure 2??):
CA: The three CAs in Figure 2 offer the standard services a CA should offer. In addition to that, they develop the CA-CSI Agents and the User-CSI Agents, which are used throughout ADoCSI for the dissemination of CSI
Agent Meeting Places (AMP) [Chess95]: They are also called Agent Platforms (AP) [FIPA98a]. These provide the physical infrastructure where agents can be transported to and communicate with other agents that are already there. In ADoCSI, AMPs must also possess a X.509v3 certificate which will be used in order to authenticate the AMPs against the Agents that visit them. If CAs decide to have their CA-CSI Agents installed in more than one AMP, the agents sent by the dependent entities in order to retrieve CSI can select to visit a specific AMP if it serves the least number of CSI requests and if the communication lines to that AMP’s direction are less congested to others. AMPs could be operated and controlled by the CAs themselves or they could be a separate Trusted Third Party.
Directory Facilitator Agent (DF): These agents are resident (static) within the AMPs. They keep a complete and up to date register [Gene92], [FIPA98a] with the services offered by the Agents that are in the AMP and the methods other Agents should use in order to communicate with the former. In our mechanism, we assume that the DF will also be able to perform verification of the digital signatures on Agents. However, in an implementation it will most probably be another Agent inside the AMP that will do this job. We assume that the DF can undertake that task as well, in order to reduce the complexity of our ADoCSI specification.
Dependent entity: An entity that wishes to verify the validity of the certificate of another entity. The latter may have tried to authenticate (authenticating entity) against the dependent entity in order to access the services offered by the dependent entity, or the latter may have received offline, signed communication (e.g. e mail) from another entity (signer). In both cases, the dependent entity wishes to verify the validity of the certificate presented by the aforementioned entities (authenticating entity or signer).
Authenticating Entity: An entity that attempts to authenticate against the dependent entity in order to gain access to the services offered by the latter.
Signer: An entity that has sent to the dependent entity a signed piece of information.
Certification Authority Certificate Status Information (CA-CSI) Agent: This Agent is developed by the CA and it contains the latest available CSI, in one (or more) of the formats discussed in [Iliad00a]. CA-CSI Agents have short validity periods. Entities communicating with CA-CSI Agents can verify the validity period of such an Agent because the CA-CSI Agent contains a timestamp (time of CSI inclusion in the Agent) and a validity time period, and the Agent is signed with the CA private signing key; CAs issue new Agents if their validity period is close to the expiration date or if there is fresher CSI available at the CA, compared to the CSI stored in the Agent. Once a new Agent is issued, it is sent to the AMP. In case the Agents also serve CSI that is very frequently updated (e.g. Freshest CRLs, [??]), then this CSI can be stored externally, in the AMP, in a location where Agents can have access to. User-CSI Agents communicate with CA-CSI Agents at the AMPs in order to locate, validate and retrieve the CSI they are interested in. If CA-CSI Agents can deliver CSI in more than one ways or formats, then they negotiate with the requesting agents in order to deliver the CSI in a manner that meets best the CSI requirements set forth by the requesting agents, like freshness of information and maximum volume of information. In order to increase the availability of the system, CAs may decide to have their CA-CSI Agents installed in more than one AMP, thus allowing for load balancing of the communication traffic due to CSI requests.
User Certificate Status Information (User-CSI) Agent: This Agent is also developed by the CAs and it is given to the dependent entities, that is any entity that wishes to use the agent based scheme in order to retrieve CSI. This Agent is signed by the dependent entity every time the Agent is sent to locate and retrieve CSI. This signature is used throughout the Agent’s life in order to verify its integrity and origin.
Interface Agent: The Interface Agent (IA) interacts with the User-CSI Agent and the applications that the dependent entity is using. IA generates and launches a new User-CSI Agent whenever the aforementioned applications need new CSI. Furthermore, it is the Interface Agent that installs the retrieved CSI at the local repository of the dependent entity, perform any certificate path validation needed and collaborate with the applications the dependent entity uses in order to inform the entity of any progress or changes concerning the requested or retrieved CSI. IAs that interact with specific software applications should be developed by the software companies that develop the aforementioned software applications.
Figure 2: ADoCSI infrastructure
The AMP location function can be implemented in the following ways:
location information is stored at the CA, and the User Agent will have to retrieve it before transporting itself to the AMP,
location information is stored in the CA-CSI Agent and it is given to the User-CSI Agent at the AMP,
location information is stored at the certificate of the authenticating entity (or signer) and the Interface Agent will have to retrieve it and deliver it to the User-CSI Agent,
location information is stored in the CA certificate and the Interface Agent will have to retrieve it and deliver it to the User-CSI Agent,
location information is stored in the User-CSI Agent.
The location of the AMP or AMPs that host the CSI Agent of a CA can be stored in a repository maintained by that CA, such as the Directory. The location information should be signed by the CA in order to enable the dependent entity to verify its integrity, unless the communication protocol supported by the CA repository includes integrity protection. If this is the way the location function is implemented, the User-CSI Agent will have to lookup the location information at the CA repository and verify the CA signature on that, before transporting itself to the AMP. A possible enhancement could be caching the location information in the local user environment, in order to avoid having the User-CSI Agent lookup the location information every time, before transporting itself to the AMP.
However, a CA may decide to stop trusting a specific AMP for hosting the CA-CSI Agent. In this case, the User CSI Agent who is using the cached location information will not know about it. This is one of the cases where the short lifetime of CA-CSI Agents could prove to be useful. If a CA decides to trust no longer an AMP for hosting the CA-CSI Agent, the CA will no longer update the CA-CSI Agent in that AMP, therefore even if a User-CSI Agent visits the specific AMP, it will not meet a non expired CA-CSI Agent.
A minor variation of the location function exists. This can be done in case the CA decides that online communication between the dependent entities and the CA should be avoided or at least should not be frequent. The location of the AMP or AMPs that host the CA-CSI Agent can be stored inside the CA-CSI Agent himself. Certainly, the dependent entity would have to retrieve this information for the first time from the CA, manually. Once this is done and the User-CSI Agent knows which AMP to visit for the first time, it will cache at the local storage area of the dependent entity that information and update it whenever the CA-CSI Agent gives the User-CSI Agent new location information.
AMP location information can also be stored in the X.509v3 certificate delivered by the authenticating entity (or signer) to the dependent entity. The Interface Agent can retrieve that information from the certificate and deliver it to the User-CSI Agent, before sending the latter to the AMPs in order to retrieve CSI on the aforementioned certificate. In this case, the User-CSI Agent does not have to find the AMP location from the CA or the CA-CSI Agent, therefore the communication and processing costs related to the actions of User-CSI Agent are decreased. However, the costs associated with distributing the certificates themselves are increased in this case, since the certificates contain additional information. In this case, the dependent entity is open to Denial of Service attacks, since the location information can only be changed (by the CA) whenever a new certificate is issued (or renewed). Therefore, if all AMPs mentioned in the certificate cease offering services, or if the CA stops trusting them and therefore stops sending updated CA-CSI Agents to those AMPs, the User-CSI Agent of the dependent entity will not be able to locate an AMP to retrieve CSI from.
A variation of the aforementioned location function is to store the location information in the CA certificate. In this case, the costs associated with the communication and processing done by the User-CSI Agent are also decreased, and costs associated with distributing the certificates are not that increased since it is only the CA certificate that contains additional information, not all the certificates issued by the CA. However, the dependent entity is more vulnerable to Denial o Service (DoS) attacks, because the validity period of a CA certificate is longer than that of any other certificate issued by that CA.
A way to deal with possible DoS attacks related with the last two types of location functions would be to have the first type of location function operational as well. If the third or fourth type of location function fails (DoS), the first type of location function can provide the dependent entity with the AMP location that is needed.
The CAs could develop User-CSI Agents in such a way that the Agents themselves decide which location function to use, every time they are called to retrieve CSI. This decision should be based on criteria like which location functions are available, which location function was used the last time the Agent was called to retrieve CSI, whether that function executed successfully or not, and user preferences regarding the location function to be used.
Finally, the location information could be stored inside the User-CSI Agent. The Agent would not need to locate and retrieve the AMP location information. His operation will be simpler and the size of the User-CSI mobile code application will be smaller, therefore communications costs related to the transport of the User-CSI Agent will reduce.
Once the User-CSI Agent is in the AMP, it contacts the Directory Facilitator in order to locate the CA-CSI Agent that holds the CSI he is interested in. The User-CSI Agent has to form a query in a predetermined Agent Communication Language and send it to the Directory Facilitator, who will reply to the User-CSI Agent using the same ACL as well. If the CA-CSI Agent that contains the information the User-CSI Agent is interested in, does not reside in that AMP then the DF should refer the User-CSI Agent to another AMP.
DF maintains a database with all the CA-CSI Agents that reside in the AMP and the respective CSI they hold. Whenever a CA-CSI Agent is transported to the AMP by the respective CA, it has to contact the DF in order to inform the latter of the CSI it holds. The DF should also update the aforementioned database by polling the resident CA-CSI Agents. This ensures that even if the DF was unavailable at the time a new or updated CA-CSI Agent tried to contact the DF or if a CA-CSI Agent was removed abruptly (e.g. accidental cease of operation, perhaps due to a software bug) from the AMP, the DF will become aware of that and will have the database updated with the relevant information. A CA-CSI Agent may have to be removed from the AMP because the CSI it contains is no longer valid or because the Agent has expired.
Having located the CA-CSI Agents they seek, User-CSI Agents communicate with them and perform a series of queries, using a predetermined ACL. Since a CA-CSI Agent could deliver CSI in a number of different formats [Iliad00a], User-CSI Agents will negotiate with the CA-CSI Agents in order to have the latter deliver the CSI in a way that meets best the requirements set by the dependent entity. The negotiation parameters that can be used, include:
Freshness of CSI. The freshness of the CSI received by a User-CSI Agent may vary, depending on the mechanism the CA-CSI Agent used to deliver that information,
Length of CSI. The length of the CSI received by a User-CSI Agent may vary, depending on the mechanism the CA-CSI Agent used to deliver that information. There are mechanisms (e.g. CRL) where the communicated CSI contains always more information than necessary (i.e. CSI on certificates that the dependent entity is not interested in),
Estimated time of CSI delivery to the dependent entity. The time that is estimated to take for the CSI to be delivered to the dependent entity varies, depending on the length of the information and the availability and bandwidth of the network that connects the AMP and the dependent entity. The User-CSI Agent should be able to evaluate the bandwidth and availability of the aforementioned network and decide on the time it will take to carry the information back to the dependent entity. Furthermore, the User-CSI Agent should request from the CA-CSI Agent for CSI that meets specific length restrictions, in order to be able to transport it back to the dependent entity within the specified time period,
Delegation of certificate path validation. This validation can be performed either by the CA-CSI Agent or the Interface Agent, depending on the mechanism used for delivering the CSI to the User-CSI Agent,
Bounded revocation. The User-CSI Agent may choose to prefer one CSI dissemination mechanism to another because the former supports bounded revocation [Iliad00b].
Once the User-CSI Agent has at his disposal CSI, it must validate it. The Agent must verify that CSI it obtained, concerns the certificate it has been instructed to find CSI on. If it is so, the Agent must transport itself back to the dependent entity. If the latter is not connected to the network at that point of time, the User-CSI Agent should be allowed to remain at the AMP for a predetermined maximum amount of time, waiting for the dependent entity to connect back to the network.
Validation of a certificate path can be performed by the Interface Agent or it can be delegated to the CA-CSI Agent. In any case, the dependent entity should be able to verify the authenticity of the received CSI. If the certificate path has been validated by the CA-CSI Agent, the dependent entity should be able to verify that the received, processed, CSI is authentic; if the certificate path is to be validated by the Interface Agent, the dependent entity should be able to verify the authenticity of the certificate path information received.
The role of the Interface Agent (IA) is to provide a link between the User-CSI Agent and the PKI aware applications the dependent entity uses. The IA has access to the certificate and CSI repository of the dependent entity (e.g. the computer filesystem), which it updates as soon as new CSI becomes available. Furthermore, the PKI aware applications that reside at the site of the dependent entity communicate with the IA in order to request CSI on specific certificates. It is the IA that will then form a CSI query, using a predetermined ACL, describing the CSI that has to be retrieved and the retrieval negotiation parameters. Also, the IA may inform the User-CSI Agent on the location of the AMP to visit, if that information is stored in the certificate of the authenticating entity or signer, or in the respective CA certificate. Consequently, the IA spawns a User-CSI Agent and assigns to it the task to perform the ACL query. Once the User-CSI Agent returns to the dependent entity location, it communicates with the IA in order to deliver the CSI that has been retrieved. The IA must be able to identify the User-CSI Agent, once it comes back, verify his integrity, recall the query it was assigned with and examine whether the User-CSI Agent did return with the requested CSI. If certificate path validation has not been delegated to the CA-CSI Agent, the IA will perform the certificate path validation or leave this task for the application itself, if the application supports certificate path validation. The IA will install the new CSI in the certificate and CSI repository of the dependent entity and inform the application of the new CSI that is available.
In case the dependent entity wishes to locate CSI in order to verify a certificate of a signer who sent a signed document to the dependent entity, then there is no online communication between the certificate holder and the dependent entity. Therefore, there is no need for online location, retrieval and validation of CSI. If this is the case, the Interface Agent should send the User-CSI Agent to search for CSI on that certificate and notify the dependent entity (the human operator) that he may logoff the network if he wishes so. The User-CSI Agent must be checking frequently (polling) for the existence of the dependent entity in the network and return to it when the dependent entity connects back to the network. In this case, the User-CSI Agent may return to the dependent entity by other communication means as well (e.g. e-mail). It is the duty of the IA then, to check frequently the mailbox of the dependent entity and locate any User-CSI Agents there and retrieve them.
We have presented in the previous sections an alternative mechanism for the dissemination of certificate status information, which we call ADoCSI. In this section, we present the threats this mechanism faces, and the respective security services and mechanisms that have to be in place in order to deal with these threats. The threats ADoCSI has to deal with are the following [Gritz97]:
An entity other than the CA could manage to modify a CA-CSI Agent before it is installed in the AMP, or install one that has been developed by that entity itself, in order to have that Agent give incorrect or false CSI to the User-CSI Agents. To deal with this threat, Agents should be distributed in a secure manner [Zhang97]; the integrity and origin of the CA-CSI Agents should be verifiable both by the AMPs and the User-CSI Agents. This can be done if the CA-CSI Agents are signed by the CA that sent them to the AMP. Both the AMP and the User-CSI Agents must have a copy of the CA certificate. The DF of that AMP and the User-CSI Agent must use the respective CA public key and verify the signature on the CA-CSI Agent. The AMP must contain the CA certificates of the CAs it receives CA-CSI Agents from, in a repository local to the AMP. The User-CSI Agent must also contain the CA certificates that will be needed to verify the digital signatures on the CA-CSI Agents the User-CSI Agent will communicate with.
An entity other than the dependent entity may attempt to modify or replace the User-CSI Agent while the Agent is distributed to the dependent entities by the CA that developed it, while the Agent is transported to an AMP or while the Agent is returning to the dependent entity. The CA that developed the User-CSI Agent should sign that Agent as well, in order to deal with the aforementioned threats. If the signature of that CA is on the User-CSI Agent, the dependent entity and the DF will be able to verify the integrity of the Agent once they receive it.
The CA-CSI Agents transport the CSI from the CAs to the AMPs. The integrity and origin of the CSI contained in the CA-CSI Agents can also be verified, by verifying the CA digital signature on the CA-CSI Agent. This signature might prove to be redundant for some cases of CSI (e.g. CRLs) where there is already a mechanism for verifying the integrity of the CSI (e.g. in the case of CRLs it is, again, the CA signature on the CRL).
The User-CSI Agents also carry information. When the User-CSI Agent leaves the dependent entity to be transported to an AMP, it carries information it will use in order to form CSI queries it will direct to the CA-CSI Agent. A malicious entity might modify that information while the Agent is transported in order to prevent the dependent entity retrieve correct or complete CSI. This can be prevented if the dependent entity signs the Agent as well, before transporting it to the AMP. The AMP must verify both signatures (CA signature and signature of dependent entity) before allowing the execution of the User-CSI Agent.
If an AMP does not contain all the CA-CSI Agents a User-CSI Agent needs to contact, the AMP will refer the User-CSI Agent to another AMP in order to find the rest of the CSI it is looking for. The User-CSI Agent may be modified by an entity (without authorisation) while it is transported to that other AMP. In order to prevent that from happening, the AMP that refers the Agent must sign the Agent as well, in order to provide integrity protection for the CSI the Agent has retrieved from this AMP.
Finally, when the User-CSI Agent has gathered all the CSI it needs, it transports itself back to the dependent entity, either immediately or whenever the latter is connected again to the network. The Agent carries at that point some CSI for which the dependent entity cannot verify the integrity. This is the CSI the Agent retrieved from the AMP before transporting itself back to the dependent entity. The User-CSI Agent could generate at that time a symmetric key, encrypt that key with the public key of the dependent entity (the certificate of the dependent entity is contained in the User-CSI Agent) and store it along with the other information it carries. Before leaving the AMP, the User-CSI Agent should generate a Message Authentication Code (MAC) [Ford94], using that symmetric key; that MAC should be applied on the Agent itself and all the information it carries. Using that MAC, the dependent entity (the Interface Agent) can verify the integrity of the User-CSI Agent and of the information it retrieved for the dependent entity.
Verification of the origin of the CSI a dependent entity receives may be possible or not, depending on the CSI mechanism that the User-CSI and CA-CSI Agents decided to use in order to exchange the CSI that the former was looking for (see [Iliad00b], for the evaluation of those mechanisms concerning their capability for verification of the origin of CSI).
An entity may attempt to masquerade as an AMP and attract User-CSI Agents. If a User Agent communicates with a (valid) CA-CSI Agent at an AMP that is controlled by an unauthorised, untrusted and possibly malicious entity, then that entity may manage to take control of the communication between the User-CSI Agent and the CA-CSI Agent and provide the former with false, inaccurate or partial CSI. Even if the two aforementioned Agents employ integrity mechanisms for the protection of their communication, while they are in the AMP, the AMP can always observe the Agents’ actions, monitor the data they generate (e.g. symmetric keys that will be used for the protection of the integrity of the communication between these two Agents) and manipulate the communication between them. In order to prevent AMP masquerade, both the CAs and the dependent entities should encrypt their Agents with the public key of the AMP they intend to send their Agents to, before transporting them. Thus, the AMP will be able to decrypt and execute the Agents only if it is the AMP that the CAs or the dependent entities intended to send their Agents to.
Denial of Service attacks could be launched against the AMPs. In order to deal with this threat, the CA-CSI Agents should be sent by the respective CAs to more than one AMPs. Therefore even if an AMP cannot deliver the CSI dissemination service with the expected quality (e.g. the communication line that leads to the AMP is congested due to the DoS attack, or the User-CSI Agents that reside at the AMP perform too many CSI requests to the CA-CSI Agents, thus consuming much of the processing power of the AMP), a User-CSI Agent may select another AMP to retrieve CSI from.
Another countermeasure that can be used in order to deal with DoS attacks would be to minimise the Central Processing Unit (CPU) time quota that is available to every User-CSI Agent that resides in the AMP, thus reducing the possibility that a malicious User-CSI Agent could use too many system resources. Research is being performed on limiting the CPU time that Java mobile code can consume [Gorri98].
A malicious entity might attempt to capture a User-CSI Agent when it is transported back to the dependent entity and send another User-CSI Agent in its place, an Agent that was sent at an earlier date by the same dependent entity. If this is achieved, the dependent entity might be led into believing that the Agent it received is authentic, as well as the information it carries. However, that CSI will be old and possibly invalid. If that CSI has not been generated with a mechanism that supports bounded revocation, then the dependent entity will consider the invalid CSI it has received as valid. In order to avoid that, the dependent entities should include a nonce (Number used ONCE) [Schn96] in their User-CSI Agents in order to prevent such Agent replays.
A malicious entity could attempt to capture the CA-CSI Agents on their way to an AMP and replace them with valid, but old, CA-CSI Agents of the same CA. If this replay attack was successful, then the User-CSI Agents could retrieve old, and possibly invalid, CSI. However, the CA-CSI Agents are timestamped and they also contain a validity period, which is short. If an unauthorised entity attempts to replay an old CA-CSI Agent to an AMP then the AMP will dismiss that CA-CSI Agent as expired.
If an entity had taken control of an AMP it could attempt to store in that AMP only old CA-CSI Agents, with the purpose of disseminating old, and possibly invalid, CSI. The User-CSI Agents would not retrieve CSI from those expired CA-CSI Agents because the former would realise that the latter are expired (by verifying the timestamp and validity period they contain) Agents and therefore they should not trust the CSI they carry.
Signing the Agents with the private keys of the Agent developer or the entity that is sending the Agent does not guarantee that the Agent will not act in a malicious way either towards the AMP or towards other Agents. This measure provides only accountability for the actions that the Agent will perform, on behalf of the entity that sent the Agent. Protecting the AMP and Agents, from other Agents has been a topic of research both in academia [Necu98], [Necu96], [Wil98], [Wil99] and in the commercial world [Gong98], [Gong97].
Solutions to this problem include the use of tamper resistant hardware [Wil98], [Wil99] and the use of language semantics in order to verify the safety of a specific application [Gong97], [Necu98] either dynamically, at run time, or statically. Furthermore, access control mechanisms can be employed in order to restrict access to the resources or services offered by an Agent [Gong98]. Limiting the resources of an AMP that an Agent can use, in order to carry out certain tasks, is a subject that is also under research [Gorri98].
Besides these, confining the use and transportation of Agents inside network domains [Gritz98], and enforcing security policies for their operation could contribute to a controlled execution environment for these Agents. Finally, the integration of application development [Jacl97] platforms that can be used for the development of Agents could lead into an integration of the respective security functionality. Such an integration could give to the developers more tools to address the security issues that arise from the operation of Agents [Gritz98].
Protecting Agents from AMPs is a still a subject of research [Wil98], [Wil99]. Perhaps the security countermeasures that have been used in order to protect the AMPs from the Agents’ actions can be used here as well. If the CAs could verify against specific safety properties [Necu96], [Necu98] the code of the DF Agent and the static Agents of the AMP, or if the CAs themselves could check for these properties [Gong97], then the CAs could sign the aforementioned Agents. Therefore, CAs could protect Agents from malicious AMPs, since the actions of an AMP would be predictable.
A dependent entity Agent might not want to let a CA-CSI Agent or an AMP know for which CSI the User-CSI Agent is looking for, unless the CA-CSI Agent does contain that CSI. A dependent entity Agent might want that, in order to protect his privacy (at least from the AMPs or CA-CSI Agents that do not have the CSI that the dependent entity is looking for). If that is achieved, then the risk of having a compromised AMP or CA-CSI Agent giving false CSI to User-CSI Agents could be reduced as well, because the AMP or CA-CSI Agent will not know what CSI the User Agent is looking for, unless the AMP contains such CSI. One way to achieve that [Riord98] would be to form the CSI query in the following way:
Query: H(N, CertID, CaCertID),
where H() is a hash function, and CertID is an identifier for the certificate the dependent entity is looking CSI for. It could be the public key of that certificate, the hash of that public key, the hash of the serial number of the certificate and the respective Distinguished Name [X.500] contained in the certificate, or any other construct that can identify uniquely a certificate issued by a specific CA. Furthermore, the query should include another certificate identifier, identifying the CA that issued the certificate, the dependent entity is looking CSI for. Finally, in order to avoid dictionary attacks from an AMP that would want to find out for which certificate is the dependent entity looking CSI for, a nonce (N) should be included as well. This nonce could be the nonce included in the Agent in order to protect the entities that receive the Agent from replay attacks.
The query is formed from the hash of the aforementioned information. The User-CSI Agent will be retrieving the respective certificate identifier values from the CA-CSI Agent and will be calculating the respective query values until he finds one that matches. If this is the case, the User-CSI Agent can retrieve CSI from the CA-CSI Agent at that time. If the CA-CSI Agent or all the CA-CSI Agents that reside in the AMP, do not contain the CSI that the User-CSI is looking for, then the latter will communicate with another CA-CSI Agent, or will transport itself to another AMP. However, neither the CA-CSI Agents that the User-CSI Agent communicated with, nor the AMP the User-CSI Agent was residing in, will be able to know for which certificate was the Agent looking for.
Neither the CSI mechanisms we have reviewed in [Iliad00a], nor ADoCSI, take into consideration the reasons for the revocation of a certificate when performing certificate path validation. Furthermore, during a certificate path validation, none of the aforementioned mechanisms takes into consideration certificates that contain the same public key but belong to other certification paths, and they have been revoked. Obviously, the aforementioned certificates should belong to the same entity, but it could also be the case of two or more entities that had -on purpose- the same key pair, certified by different CAs.
Assume that certificates Ck and C’k belong to the respective certificate chains C and C’, depicted in the table below, and contain the same subject public key. Should Ck be revoked, that does not mean that C’k will be revoked as well, as it belongs to another certificate chain. The fact that Ck has been revoked should affect C’k in a different way, depending on the reason for the revocation of Ck [Fox98]. Currently, PKI does not support the revocation, or any other action upon a subject’s certificate, if another certificate containing the same public key is revoked. Let us examine the various reasons for the revocation of a certificate. These reasons can be included, optionally, as an extension to the CRL [ISO9594], [Hous99]. This extension is called CRLReason [REFERENCE??].
Ck could be revoked because of the following reasons [ISO11770], [Fox98]:
The public key contained in Ck should not be trusted anymore because it has been compromised. The CRL entry should contain the reason ‘keyCompromise’. In this case, C’k should be revoked as well, because it contains the same, compromised public key.
The binding between the public key contained in Ck and the subject name contained in Ck should no longer be trusted, because the affiliation of the certificate holder has changed, there is a new certificate that supersedes Ck or because the certificate holder will not be using anymore Ck. The respective reason codes that should be used in the CRL entry are: ‘affiliationChanged’, ‘superseded’ and ‘CessationOfOperation’. If C’k contains information that bind the person denoted by the subject name in C’k to the same affiliation as is the case with Ck then C’k should be revoked as well. If Ck was revoked because it was superseded then C’k might not need to be revoked. Finally, if Ck was revoked because the certificate holder will not be using that certificate anymore, then C’k should be revoked or should not be revoked depending on the reason why the certificate holder will not be using C’k anymore.
Ck 1 (certificate holder k-1 is the issuer of certificate Ck) is no longer a position to vouch for the validity of Ck. This would be due to a compromise of the key contained in Ck 1. The reason code that should be used in the CRL entry is: ‘cACompromise’. In this case, C’k should not be revoked, because C’k-1 (and every certificate higher in the hierarchy of C’) is not affected because of the compromise of Ck-1.
We have demonstrated that there are cases when the revocation of a certificate belonging to one certificate chain may provoke the revocation of a certificate that belongs to another certificate chain but bears the same public key. However, the current, supported certificate path validation mechanisms and CSI location mechanisms do not support such actions. Even if such actions were supported buy the aforementioned mechanisms, there would still be questions to be answered regarding the revocation of one certificate on another certificate that contains the same public key. One of the issues that would have to be tackled with, is what would happen in case a certificate needs to be revoked for a reason that is not included in the list of reasons proposed by [ISO9594], [Hous99]. It could be the case that a CA (the holder of Ck-1) has realised that an entity (the holder of Ck) has been misidentified, either because of a procedural registration error or because the entity has provided false identification [ISO11770] to the CA during the registration phase. In this case, none of the existing, proposed reasons to be included in the CRL entry do not concern the real reason for the revocation. Another issue that would have to be tackled with, is the actions to be taken with respect to C’k in case Ck appears in a CRL with the value certificateHold in the entry extension reasonCode. A certificate could be suspended (certificateHold) for many, different reasons and it would not be clear in this case what actions should be taken either by the entities that own the certificates in the certification chain C’ or by the dependent entities that wish to use certificates (e.g. C’k, Ck) that belong to these chains.
ADoCSI could possibly provide the means to deal with the aforementioned problems, since the Agents involved in ADoCSI do have access to a common pool of CSI resources (the set of all AMPs and CA-CSI Agents). User-CSI Agents could seek the necessary information in this pool in order to verify the validity of a certificate, even if the same public key is contained in more than one certification paths. In addition to that, the dependent entity could customise the User-CSI Agents (through a graphical user interface provided by the Interface Agent) in order to let them know the preferences of the dependent entity regarding the revocation of certificates, depending on the reasons other -related- certificates have been revoked. Clearly, this subject has to be studied further.
We presented the prototype of an alternative mechanism for disseminating certificate status information (ADoCSI), which presents some enhancements, compared to the other mechanisms that handle CSI dissemination [Iliad00a], [Iliad00b]. One of the most important enhancements is that this mechanism meets the transparency criterion [Iliad00b]. Entities using PKI are not always knowledgeable, motivated and perceptive towards security procedures. ADoCSI could be of use, because it relieves these entities from the burden of carrying out security related tasks in order to locate and retrieve Certificate Status Information. In addition to that, new features can be implemented in the operation of this CSI dissemination mechanism in a transparent way. New features can be developed and integrated in the mechanism (e.g. in the CA-CSI Agents and the User-CSI Agents), that possibly serve the needs of the dependent entities in a better way. However, the dependent entities themselves need not know about the mechanics of these new features.
ADoCSI presents other advantages as well. The network traffic that results from CSI queries can be reduced, since the queries take place on a local level, inside the AMPs. Furthermore, ADoCSI is resilient to unreliable networks, because it can operate both in an online and offline manner.
Most of the existing CSI dissemination mechanisms restrict the Certification Authorities in the way they must operate. CAs cannot re partition the CSI space, or transport their CSI repositories elsewhere, because dependent entities will not be able to track those changes easily. ADoCSI lifts that restriction. CAs can re partition their CSI space, transport the CSI repositories and also maintain CSI in a number of different formats. Such actions would result in confusion of the dependent entities and would create problems in the certification process, if a CSI mechanism out of those presented in [Iliad00a] was used. On the contrary, if ADoCSI is used as a CSI dissemination mechanism, such an action on behalf of the CAs would result in even more efficient CSI dissemination.
ADoCSI provides for adjustable CSI. The dependent entities can retrieve CSI that meets their own requirements, without understanding the mechanics of CSI dissemination process and without the dependent entities having to act themselves or contribute in any other way to the aforementioned process. The only other mechanism offering fine grained adjustability in CSI location and retrieval is the Freshness constrained Revocation [REFERENCE??], but at the cost of loosing economy and scalability.
ADoCSI is a more efficient CSI dissemination mechanism compared to the ones we have presented in [Iliad00a]. Although the set of features it supports is larger than the respective sets of other mechanisms [Iliad00b], it is still an economic and scalable mechanism. Furthermore, it provides for timely dissemination of fresh CSI. Most of the other mechanisms that offer fresh CSI in a timely manner are either not economic or not scalable.
A disadvantage of ADoCSI is that it requires that the Trusted Computing Base (TCB) [Goll99] of the dependent entities and CAs grows in size. The User-CSI Agent and the Interface Agent are part of the TCB of the dependent entity. These Agents are locating, retrieving and possibly validating CSI on behalf of the dependent entity. CA-CSI Agents also form part of the new TCB of CAs. CA-CSI Agents are the ones that disseminate the available CSI, not the CAs, anymore. Taking into consideration that security issues related with the use of Agents still exist, such a growth of the Trusted Computing Bases requires that these problems have to be solved, in an economic way, before using Agents in the CSI process.
Generation and dissemination of Certificate Status Information has to be studied further. There are still problems that need to be solved, regarding CSI mechanisms. Solution to these problems could require the sharing of CSI among a wide group of CAs and the processing of that CSI before communicating it to the dependent entities. We believe that Agent based CSI mechanisms could possibly provide the means to deal with the aforementioned problems since the Agents involved in such mechanisms have access to a common pool of CSI resources, the set of all collaborating AMPs and the respective, resident CA-CSI Agents.
A final note on ADoCSI is that it assumes there will be a sufficient number of collaborating AMPs and that each AMP contains a sufficient number of CA-CSI Agents. Furthermore, ADoCSI assumes that all Agents involved in the scheme are using the same Agent Communication Language. Although these assumptions do not pose any problem at all, on a technical level, there might be other obstacles in implementing such a CSI scheme. There might be commercial CAs that do will refuse to have their CA-CSI Agents in the same AMP as another CA, or in the AMP developed by an organisation that is somehow related with another CA. Furthermore, if a CA has a large user base (entities that have been issued certificates from that CA) that CA may refuse to serve CSI requests from User-CSI Agents developed by other CAs. In general, real life implementation of ADoCSI requires that CAs will develop multi level collaboration, in order to deliver CSI.
Taking into consideration the above, a degenerate version of ADoCSI might prove to be the most economic and efficient one. We refer to the case where each CA is operating its own AMP, hosting only its own CA CSI Agent, while the Directory Facilitator at that AMP knows the location of the AMPs of all other CAs. This is a very close analogy to the private network of the banking system. A dependent entity would have to send its User CSI Agent to an AMP it already knows the location of (Acquirer AMP/CA), and the latter would refer it to the AMP that contains the appropriate CSI (Issuer AMP/CA).
We have pointed out the need for transparency of PKI security services and in specific the need for transparency in the location and validation of CSI. We presented the prototype of an alternative mechanism for disseminating CSI that meets this need. There is clearly much work to be done yet, as pointed out at least in section 4. However, we consider we brought forward some new requirements regarding CSI mechanisms and sketched a prototype framework for meeting these requirements.
[Aglets] IBM Aglet Workbench, available at http://www.trl.ibm.co.jp/aglets
[Chess95] Chess D., Grosof B., Harison C., Levine D., Parris C., , IBM Research Division, T.J. Watson Research Center, New York, & Tsudik G., IBM Zurich Research Laboratory, Itinerant Agents for Mobile Computing, Research Report 20010, 1995
[FIPA98a] Agent Management, Part 1, Foundation for Intelligent Physical Agents Specification, Geneva, October 1998
[FIPA98b] Agent Communication Language Version 2.0, Part 2, Foundation for Intelligent Physical Agents Specification, Geneva, October 1998
[FIPA98c] Agent Security Management Version 1.0, Part 10, Foundation for Intelligent Physical Agents Specification, Geneva, October 1998
[Ford94] Ford W.,Computer Communications Security, Prentice-Hall, 1994
[Fox98] Fox B., LaMacchia B., Certificate Revocation: Mechanics and Meaning, In Proceedings of Financial Cryptography 98, LNCS 1465, New York, Springer Verlag
[Frost96] Frost H. R., Cutkosky M. R., Design for Manufacturability via Agent Interaction, In Proceedings of the ASME Computers in Engineering Conference, Irvine, CA, August 1996
[Gene92] Genesereth M. R., An Agent-Based Approach to Software Interoperability, In Proceedings of the DARPA Software Technology Conference, 1992
[Gene92b] Genesereth M., Fikes R., et al., Knowledge Interchange Format, version 3.0, reference manual, Technical Report, Computer Science Department, Stanford University, 1992
[Gene94] Genesereth M. R., Ketchpel S. P., Software Agents, In Communications of the ACM 37 (7), 1994
[Goll99] Gollman D., Computer Security, John Wiley & Sons, 1999
[Gong97] Gong L., Mueller M., Prafullchandra H., Schemers R., Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2, In Proceedings of the USENIX Symposium on Internet Technologies, 1997
[Gong98] Gong L., Signing, Sealing and Guarding Java Objects, Lecture Notes in Computer Science (LNCS), Vol.1419, Springer-Verlag, June 1998
[Gorri98] Gorrieri R., Marchetti R., Applet Watch-Dog: A Monitor Controlling the Execution of Java Applets, Proceedings of the IFIP SEC'98, published by Austrian Computer Society, 1998
[Gritz97] Gritzalis, S., Spinellis, D. Addressing Threats and Security Issues in World Wide Web Technology, In Proceedings of the 3rd IFIP International Conference on Communications and Multimedia Security, Chapman & Hall, 1997
[Gritz98] Gritzalis S., Iliadis J., Addressing security issues in programming languages for mobile code, In Proceedings of the DEXA '98 9th Workshop of Database and Expert Systems Applications, IEEE Computer Society Press, August 1998
[He98] He Q., Sycara P., Finin T. W., Personal Security Agent: KQML Based PKI, In Proceedings of the ACM Conference on Autonomous Agents (Agents'98), May 1998
[Hous99] Housley R., Ford W., Polk W., Solo D., Internet X.509 Public Key Infrastructure Certificate and CRL Profile, , IETF Network Working Group, Request for Comments 2459 (Category: Standards Track), January 1999, available at http://www.ietf.org/rfc/rfc2459.txt
[Iliad00a] Ioannis S. Iliadis, Diomidis Spinellis, Sokratis Katsikas and Bart Preneel, A Taxonomy of Certificate Status Information Mechanisms, In Information Security Solutions Europe ISSE 2000, Barcelona, Spain, September 2000. European Forum for Electronic Business.
[Iliad00b] J. Iliadis, D. Spinellis, S. Katsikas, D. Gritzalis, B. Preneel., Evaluating Certificate Status Information Mechanisms. In Proceedinds of the 7th ACM Conference on Computer and Communication Security: CCS '2000, pages 1-8. ACM Press, November 2000.
[Iliad99] Ioannis S. Iliadis, On the Dissemination of Certificate Status Information, MSc Dissertation, Dept. of Mathematics, Royal Holloway College, University of London
[ISO11770] ISO/IEC JTC 1/SC 27/WG 1 11770-1.2, Information Technology - Security techniques - Key management - Part 1: Framework, 1996
[ISO9594] ISO/IEC 9594-8 (1994), Open Systems Interconnection - The Directory: Authentication Framework. The 1994 edition of this document has been amended by the Draft Amendments [Dram96] and a Technical Corrigendum [Cor95]
[Jacl97] Jacl and Tcl Blend, (1997) available at http://sunscript.sun.com/java/
[KQML] ARPA Knowledge Sharing Initiative, External Interfaces Working Group, Specification of the KQML agent-communication language, working paper, July 1993
[Lamb97] Lambrou Y., Finin T., A Proposal for a new KQML Specification, Technical Report CS-97-03, University of Maryland, Baltimore, US, 1997
[Necu96] Necula G.C., Lee P., Safe Kernel extensions without run-time checking, Proceedings of the Second Symposium on Operating Systems Design and Implementation, 1996
[Necu98] Necula G. C., Compiling with Proofs, PhD Thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, September 1998
[Nwana96] Nwana H. S., Software Agents: An Overview, In Knowledge Engineering Review, Cambridge University Press, 1996
[Odyssey] General Magic Odyssey, available at http://www.genmagic.com/agents
[Petrie97] Petrie C. J., What’s an agent… and what’s so intelligent about it?, IEEE Internet Computing Vol. 1, Number 4, July-August 1997
[Riord98] Riordan J, Schneier B., Environmental Key Generation towards Clueless Agents, In Proceedings of Mobile Agents and Security, LNCS, Springer-Verlag, 1998
[Rivest98] Rivest R., Can We Eliminate Revocation Lists?, In Proceedings of Financial Cryptography 1998, available at http://theory.lcs.mit.edu/~rivest/revocation.ps
[Schn96] Schneier B., Applied Cryptography, John Wiley & Sons, 1996
[Spruit96] Spruit M. E. M., Looijen M., IT security in Dutch practice, Computers & Security, 15-2, 157, 1996
[Spruit98] Spruit M. E. M., Competing against human failing, In Proceedings of the XV IFIP World Computer Congress: 14th IFIPSEC '98 International Information Security Conference, September 1998
[Thiru95] Thirunavukkarasu C., Finin T., Mayfield J., Secret Agents - A Security Architecture for the KQML Agent Communication Language, In Proceedings of CIKM’95 Intelligent Information Agents Workshop, December 1995
[Wil98] Wilhelm U. G., Staamann S., On the Problem of Trust in Mobile Agent Systems, In Symposium on Network and Distributed System Security, Internet Society, March 1998
[Wil99] A Technical Approach to Privacy Based on Mobile Agents Protected by Tamper-resistant Hardware, PhD Thesis, Wilhelm U. G., Department of Informatics, EPFL, Lausanne, 1999
[X.500] CCITT Recommendations X.500-X.521, Data Communication Networks Directory, CCITT, November 1988
[Zhang97] X.N.Zhang, Secure Code Distribution, IEEE Computer, June 1997