PKI Interoperability Models (February 2005)

Root CA / Hierarchy

Cross Certification (Mesh)

Cross Recognition

Bridge CA

Certificate Trust List

Brief Description

An organised chain of CAs, run from the top down.

CAs certify each other as peers

CAs/PKI domains agree to recognise each other’s certificates

A central bridge CA manages interoperability between all other CAs

A list of trusted CAs is distributed

Role

Technical mechanism to convey recognition.

Technical mechanism to convey recognition. May also have role in establishing recognition.

Political and contractual process of establishing recognition.

Technical mechanism to convey recognition. May also have role in managing recognition.

Technical mechanism to convey recognition.

Working examples

Global – Identrus

Germany – RegTP

Asia – PAA

Australia – Gatekeeper / Angus

US Federal Bridge

EU – Commercial Bridge

EU – Government Bridge

Agreement required

Tight agreement from the beginning

Only between CAs as needed

Political co-operation

Consensus of CAs to use bridge

Only useful if publisher already has authority

Technical interoperability – design stage

Yes – fully interoperable

Yes – but may require significant modifications

PKIs remain separate at technical level

Bridge can play a role in managing interoperability

Requires another mechanism to establish recognition (eg Cross Recognition)

Technical interoperability – real time operation

Yes – fully interoperable

Yes – fully interoperable

Requires use of other tools (eg Trust Lists) to achieve technical interoperability

Partial technical interoperability only – stronger if used with other tools (eg Trust Lists)

Yes – fully interoperable

Costs

Low – simple, easy system

High – each pair of CAs must go through expensive process to cross-certify

Low-Medium – co-ordinating body must enforce rules and audit participants

Medium – bridge CA has significant workload

Low, but varies with modes of use

Scalability

Medium – short and certain certification paths back to trusted root

Low – full mesh has n² pairs, certification paths may be long

Medium – no technical barriers, but challenging administrative co-ordination

Medium-High –limiting factor is bridge workload

High – simple, direct trust

Security risks

High – single breach of root brings down network, subordinate CAs must be re-certified

Low – single breach may have no effect on others, or may fragment network

Low – depending on level of technical integration, probably no effect on network

Medium – breach of bridge brings down network, but participants can still operate on their own

Medium – depending on implementation, may be lag between security breach and list update