5. PKI Trust Models
The fundamental purpose of PKI is to represent
the trust relationship between participating
parties.
The verifier verifies the chain of trust.
Four models exist:
• Subordinate Hierarchy
• Cross Certified Mesh
• Bridge CA
• Trusted List
6. Subordinate Hierarchy
• Two or more CAs in a hierarchical relationship
• Good for single enterprise applications
• Hard to implement between enterprises
7. Cross Certified Mesh
• Each internal CA signs the other PKI’s public verification keys
• Good for dynamically changing enterprise PKI applications
• Scalability is a major issue. Need to support n(n-1) cross certifications
8. Bridge CA
• Only the Root CAs participate in the cross certification
• Solves the issues with the mesh model
9. Trusted List
• Uses a set of publicly trusted root
certificates
• Ex: Internet Browsers
10. Traditional CRLs
Relying party checks the certificate against the latest published
CRLs
Disadvantage:
Long CRLs and the number the users directly proportional to the
performance of the network.
12. OCSP
Online Certificate Status Protocol
• Client – Server model
• Client requests status of a certificate
• Server sends a signed response back
• Advantages
• Very small request and response
• Disadvantages
• All responses need to be signed increasing the load on the server
• Clients must be online/connected to check the status
15. UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland