The audit of CAs would be overseen by an ISO 17025 accreditation framework, scalable to build an international PKI under the auspices of existing accreditation bodies.
This paper outlines a new model for constructing open PKI where the relationships between CAs at different levels are based primarily on compliance audit. A strong trend across most PKIs at present is for CAs to seek independent audit, to assure users and relying parties that certificates are issued in accordance with agreed standards and procedures. Until now, the results of such audits have only been made available in the form of paper compliance reports.
To improve the ability for relying parties to decide online whether or not to accept a certificate, the results of a successful audit could be asserted in a digital certificate, issued to the CA by (or on behalf of) the auditor. Such digital audit certificates can conveniently be conventional X.509 ‘identity’ certificates, signing the public key of the subject CA. This enables the audit certificate to be automatically processed by any ordinary X.509 parser, during the course of verifying the end user certificate. A regular X.509 certificate can represent a complete and precise summary of the audit. The Policy OID of this certificate would point to documentation of the conditions of the audit and any applicable standards. In turn, the Policy OID of the end user certificates issued by the CA would have to indicate the actual certification policies and procedures covered by the audit.
A complete PKI can be built upon the principles of contestable open audit and existing mechanisms for accrediting auditors. Approved auditors would likewise have their status confirmed by a digital certificate issued by a recognised accreditation body, authoritative over the audit standards in force.
The audit based PKI model is most applicable to “open-but-bounded” e-business environments. It promises to save costs by leveraging existing bodies, audit standards and methodologies. Importantly, many auditor accreditation standards operate independently of the technical domain of the auditors themselves, and so may be applied at the top of the PKI with little or no modification. At the same time, by stressing conventional assurance and risk management principles, the model makes PKI more comprehensible and accessible to business users. The model may also provide the most logical and most practical pathway to transnational ‘root CAs’, under the auspices of existing international accreditation associations and mutual recognition arrangements for same.
Audit based public key infrastructure V0.3 April 2000.pdf