PKI Interoperability Models (February 2005)
6. Conclusion
There is a clear trend in the current PKI interoperability discussions to move towards the bridge CA model[37]. However, within the bridge model there are numerous variations for how interoperability is actually achieved. The bridge may be sitting above a cross-certification mesh, a cross recognition model, a series of certificate trust lists, or even a combination of all of these. It would appear that the main advantage of the bridge is the provision of a stable third party to co-ordinate and promote PKI interoperability by whatever means necessary.
In the absence of a bridge, interoperability may fall between the cracks. Individual governments, accreditation agencies and CAs do not have sufficient motive, skills or resources to deliver and maintain interoperability. In addition, the creation of a bridge allows interoperability to be achieved through staged testing and upgrades – perfect interoperability does not need to be achieved at once.
There does not appear to be a clear consensus on the best interoperability model below the bridge. Cross recognition is a broad brush approach that could be suitable for cross-border recognition – where governments are involved in the recognition of trusted domains. For many other aspects of PKI interoperability the certificate trust list model appears to deliver practical benefits.
[37] Stillson K D, Public Key Infrastructure Interoperability: Tools and Concepts, The Telecommunications Review 2002, <http://www.mitretek.org/publications/2002_telecomm_review/stillson_07.pdf> at p79.