Identity Portability Supported XKMS PKI Proxy

PKI (Public Key Infrastructure) is a technology that has been developed and widely used for almost 20 years. It has been commonly implemented in many network environments to help providing asymmetric cryptology in order for the users to complete the processes of data encryption, digital signature, etc. Come along with the development and application of PKI is the expectation and need of larger PKI domains with effective interoperability, however this has been a major problem that PKI system faces. The interoperability has been abstracted onto two parts: One is the interoperability between PKI domains; the other is the interoperability between PKI Identity and Internet.In this study, we first analyzed the factors that make PKI interoperability difficult. (1) Digital certificate format has been developed and regulated back since the early days of PKI. Lots of formats and standards emerged. But the diversity and the complexity, as a return become the obstacles of those domains using different certificates to interoperate. (2) The difference between communication protocols is also a major reason that makes PKI interoperability troublesome. Fortunately, XKMS been promoted as a common standard, so that this problem is not as messy, although transforming is not cheap. (3) Trust models between PKI are another repulsion to merge. After discussing about some popular solutions like cross certification, Bridge CA and their advantages and disadvantages, we bring forward a more feasible trust model for the final users. Dynamic Trust List trust model, which can be implemented into a trust service, can reflect the true structure of CAs and make trust chain tracing much easier. The management of such Dynamic Trust List has been delegated to centralized authority. The users with insufficient IT background can be freed up from complex and hint-less deciding.Later in this article, we researched on the areas where PKI hasn't much been involved. We found that there is some identity resource wasting problem among different PKI implementations. In some organization, identity has been expensively collected and used only in very limited occasions. PKI system doesn't provide us a method for identity portability. In contrast, there are so many service providers on the internet who are relying on true identities to establish their services. SAML as a popular identity and attribute assertion language and standard has been promoted by OASIS since 2002. The mechanism of SAML is quite suitable for PKI to adopt some of it to provide support of identity portability. Introduce in detail the user log in first IDP and users log in the first two SP binding model SAML and their information flow, X.509 digital certificates on the property and the identity of mobile SMAL mechanism compared to the property, obtained SAML as a suitable alternative property X.509 certificate that conclusion.Based on the motivation from the result of above, we bring forward the core of this article, Identity Portability Supported XKMS PKI Proxy (IPSX PKI Proxy). IPSX PKI Proxy appears as a trust service middleware between traditional PKI system and PKI users. It uses XML and SOAP as transporting bases which will guarantee cross-client and cross-server compatibility. Its usage of XKMS makes the difference of certificate formats and encryption algorithm transparent. We move the trust decision from end user up to this IPSX PKI Proxy, so the users don't need to know any structure of the upper CAs. In addition, the end users don't need to access CRL, since the accessing of CRL and the result will all be manifested by Validate Service that this middleware provides. It greatly reduces the burden of CRL publishing point and reduces the risk of Denial of Service attack of CRL publishing points. For PKI system to adopt some mechanism of SAML, we can make digital certificate, identity and attributes united. So when user wants to access to IDP part of IPSX PKI Proxy, the server and user client can recognize and validate each other by their digital certificate with in the SSL connection establishing process. Compare with user logging in IDP with username/password, our solution is more convenient and secure.To better express the new usage of PKI system after implementing IPSX PKI Proxy, we designed a Network ID system based on Chinese resident ID. We introduced the process of applying, using and suspending such kind of Network ID, and how it can solve some of the current Internet problems like Real Name Blogging, Internet Service based on ages, and how it can make PKI system even more popular among every internet user.