A novel approach to on-line status authentication of public-key certificates

The widespread use of public networks, such as the Internet, for the exchange of sensitive data, like legally valid documents and business transactions, poses severe security constraints. The approach relying on public-key certificates certainly represents a valuable solution from the viewpoint of data integrity and authentication The effectiveness of the approach, however, may be arguable, especially when a trivial strategy is adopted within a Public-Key Infrastructure (PKI) to deal with the problem of revoked certificates. This paper presents a novel certificate status handling scheme, based on a purposely-conceived extension of the One-Way Accumulator (OWA) cryptographic primitive. The distinguishing characteristic of the devised Owa-based Revocation Scheme (ORS) is that it exploits a single directory-signed proof to collectively authenticate the status of all the certificates handled by a Certification Authority (CA) within a PKI. A thorough investigation on the performance attainable shows that ORS exhibits the same features of the well-known On-line Certificate Status Protocol (OCSP) as regards security, scalability and certificate status-updating timeliness, at the same time drastically reducing the directory computational load that, in a high-traffic context, could be nearly unbearable when OCSP is applied.