PKI Interoperability Models (February 2005)
4.4. Cross-Recognition Model
Cross recognition is where an individual CA or an entire PKI domain agrees to recognise another CA or domain, rather than building from a lower lever technical solution.
A relying party in one PKI domain can use authority information in another PKI domain to authenticate a party in the other PKI domain, and vice-versa.[28]
This requires close co-operation among either the CAs at an administrative level or accreditation agencies (and governments) at a higher level.
Figure 7. Cross-Recognition Model
In practice, cross-recognition means that certificates issued in a domain that has been recognised may be relied upon with some confidence by relying parties in the recognising domain:
Cross-recognition amounts to a formal and reciprocal recognition by the competent PKI authorities (top trust point) in one recognising PKI domain of the authority and capacity of the competent PKI authorities in another recognised PKI domain, to impose, manage and enforce PKI standards and trust processes appropriate for confident acceptance of those certificates in the recognising domain. A community of interest is thereby able to rely upon certificates issued from an external PKI for use in certain applications, within the limits of the accredited certificate policy for those certificates. As stated, however, the recognising domain would not be guaranteeing the status and reliability of foreign certificates.[29]
Cross-recognition is the basic trust model that is being pursued by the Asia Pacific Economic Cooperation (APEC) Telecommunications (TEL) Working Group.
Cross-recognition differs from cross-certification in several respects. For example, there is no mutual (or even unilateral) recognition between CAs. Cross-recognition is based on the notion that independent CAs would be licensed or audited by a mutually recognised trusted authority. The foreign CA may be regarded as trustworthy if they have been licensed/accredited by a formal licensing/accreditation body or they have been audited by a trusted independent party. This can be accomplished by the development of a mutually recognised set of criteria at the domain level. The end result is that as long as the user trusts the accreditation authority, they can trust certificates from any recognised CAs.
Cross-recognition is an attractive model because it avoids some of the technical interoperability issues. However, it still shares the administrative and management problems of all such networks of trust, and in many high-value applications it may not be seen as providing enough assurance.
Cross-Recognition working example: Pan-Asian E-Commerce Alliance (PAA)
A significant cross-recognition scheme is being organised by the Pan-Asian E-Commerce Alliance (PAA)[30] which has members from nine different economies[31] and co-ordinates a variety of e-commerce harmonisation activities to encourage regional trade. The PAA first authored a Certificate Policy Statement and, using that as a standard, has now accredited a CA from six of those nine economies to join the scheme. Cross-recognised certificates have now been used in several cross-border applications, especially customs and shipping.[32]
[28] Business Facilitation Steering Group, Electronic Authentication Task Group, And Cross-Certification Expert Group, Achieving PKI Interoperability, APEC Telecommunications Working Group, 30 August 1999
<http://www.apectelwg.org/apecdata/telwg/eaTG/eatf06.doc>.
[29] Australian Government National Office for the Information Economy, Interoperability between Gatekeeper and Foreign Digital Certificates through Cross-Recognising PKI Domains, May 2003
<http://www.agimo.gov.au/__data/assets/file/18913/crossRecPolicyV2.3.pdf>.
[31] Singapore, Hong Kong, Taiwan, China, Korea, Japan, Malaysia, Macau, Thailand.
[32] PKI Forum Singapore, Launch of final report on legal issues in cross-border e-commerce transactions, 2003 <http://symposium.pki.or.kr/04%20WG%20Presentation%20I%20-%20Evelyn%20Ong.pdf>.