Query Certificate Manager
Carl A. Gunter
Trevor Jim
Using Certificates (Digital or
Otherwise)
Example: Area 1 parking stickers in
Philadelphia.
 Example: mortgage pre-approval.

query
Subscriber
cert
Issuer
cert
cert
cert
cert
cert
Issuer
Relying Party
cert
Issuer
Issuer
Basic Application-Independent
Authorization Architecture
Remote
Data
User
Retrieval
Policy
Remote
Data
Application
Verification
Public
Network
Domain Specific Languages for
Authorization Policies





1996
1997
1997
1998
1998
PolicyMaker.
Simple Distributed Security Infrastructure
(SDSI).
Query Certificate Manager (QCM).
Simple Public Key Infrastructure (SPKI).
Keynote.
M Blaze, J Feigenbaum, J Lacy
B Lampson, R Rivest
C Gunter and T Jim
CM Ellison, B Frantz, B Lampson, R Rivest, BM Thomas, T Ylonen
M Blaze, J Feigenbaum, J Ioannidis, AD Keromytis
Retrieval Challenge



Describing authorization policy isn’t the only
problem.
How do the subscriber and relying party
obtain the certificates relevant to the
policy?
Examples



Entrust, Oscar (LDAP)
PGP (Key servers)
Problem: retrieval is not integrated with
verification.
Options for Retrieval
General mirroring by relying party.
(Simple, but limited and inefficient.)
 Individual short-term certificates.
(Pressure on issuer’s server.)
 Subscriber submits long-term
certificates to relying party.
(Revocation challenge.)

Illustration: QCM Daemon for
ABONE Access Control
ABONE is the active network testbed.
 ACL’s at ABONE nodes were initialized
by ANETD installation and then
managed manually.
 This was not convenient.
 Now QCMD automatically synchronizes
local ACL with SRI ACL, which provides
access control policy for all nodes.

ANETD: 1997 L Ricciulli
QCMD: 1999 P Kakkar, M McDougall, CA Gunter, T Jim
Requirements Imposed on
QCMD
No changes to ANETD.
 No changes to keys: based on RSA Ref.
 Scalability to 1000 nodes.
 Simple implementation providing basic
security.
 Upgrade path to support additional
functionality.

QCMD Client Options
Pull: node periodically instigates update
by sending a hash of its current ACL.
This is compared to hash of SRI ACL;
update occurs if they don’t match.
 Push: node registers with SRI server.

 Server
updates node initially and whenever
the server ACL changes.
 Server periodically clears registry; clients
periodically re-register.
Implementation and
Deployment of QCMD
Tests with mixed Penn clients and
Aerospace server show 500 nodes are
not a problem.
 Deployed on Cairn and the ABONE.

Limitations of QCMD
Limited integration with ANETD means
limited capabilities.
 Individual certificates are not
supported.
 Keys must be online.
 Little local autonomy for authorization
or retrieval policy.

Query Certificate Manager
(QCM)
QCM is a superset of QCMD.
 Uses domain-specific language and
techniques from distributed databases.
 Integrates authorization policy and the
three primary retrieval mechanisms.
 Key concepts:

 Policy-directed
certificate retrieval.
 Dynamic channel discovery.
 Chaining (transparent delegation).
1998 CA Gunter and T Jim
Policy-Directed Certificate
Retrieval
Application
Policy
Public
Network
Application
Policy
Verification
Verification
Retrieval and
Distribution
Retrieval and
Distribution
QCM Notation

K$u --- pronounced “K’s u”.
K
is a principal
 u is a global name
{(x ,y) | x  v, y  K$u} --- set
comprehension: “all pairs (x,y) such that
x is in v and y is in K$u.”
 A QCM policy is a list of bindings of
global names to sets.

Illustration: Web Filtering in
QCM
online Browser {
OK =
{ p | (p,"G") <- Ratings };
Ratings =
{ x | ("Alice",k) <- PKD,
x <- k$Ratings };
PKD = Keyserver$PKD;
}
Challenge of Long-Term
Certificates
Premise: most principals are authorized
for a substantial period of time.
 Strategy: issue long-term certificates
and revoke privileges for principals as
necessary.
 Relying parties must check to see if a
certificate has been revoked.
 Window of vulnerability created.

Revocation is Costly for
Retrieval

A MITRE study to recommend a PKI for
the U.S. Government noted:
Certificate revocation list distribution is by far the
biggest cost driver associated with the operation of
the PKI. Requiring that every request to the
directory service for a certificate be accompanied by
a similar request for the CRL on which that
certificate may appear places an extremely heavy
burden on the directory communications system...
Other ways of dealing with the CRL's must be
considered.
CRL Retrieval Strategies
A variety of ways to optimize CRL
distribution have been explored.
 Distribution points.
 Delta CRL’s.
 Indirect CRL’s.
 Unreliable (push) CRL distribution.
Revocation Also Introduces
Semantic Challenges

Three certificates.
Revoke 1.
2.
3.

Q says P is the public key of Alice.
R says P is the public key of Alice.
Q says R is the public key of Bob.
Three kinds of revocation.
1.
2.
3.
P is not the public key of Alice. (3 not 2.)
Q no longer vouches for whether P is the
public key of Alice. (2 and 3.)
The key of Q has been compromised. (2
not 3.)
1998 Fox and LaMacchia
Challenge of Integrating
Revocation with Chaining




Using “push” certificates entails working with
partial information.
This must be integrated with chaining, where
information is retrieved by the relying party.
QCM solves this problem with a monotonicity
invariant. Responses are assumed to provide
a lower approximation of the right answer.
Using long-term certificates entails working
with revocation, which involves “negative
information”.
Inconsistencies

Consider the following definitions:





School = Teachers  Administrators  Students
Employees = School – Students
Suppose Alice is given a certificate Alice 
Students
And later the school revokes this with a
certificate Alice  Students.
Alice uses the first to prove she is in the
school and the second to prove she is an
employee.
Generalized Certificate
Revocation for QCM
General theory of negative data with
model using sets.
 Sound operational semantics.
 Soundness enforced by typing rules
assigning “polarities” to variables in an
internal language.
 General revocation policy obtained
through compilation from an external
language.

1999 CA Gunter, T Jim
External Language,
Online Signing
Compromised keys are defined by the
relying party.
 The compiler replaces each expression
e$u by {x | e  Compromised, x  e$u}.
 Example
 Read = {K1,K2}  Write
 Write = {K3}  (Alice$Write)
 Compromised = {K4} 
Bureau$Compromised

External Language,
Offline Signing
Offline certificates may be revoked by
the issuing party. Only certificates
that require checks for revocation are
issued.
 A source policy is created. The
compiler produces serial numbers and
“revocable” certificates.

External Language, Offline
Signing: Example

Source policy for principal K



OK = {K1,K2}
Target policy

OK  {K1 | n1  K$OKRevoked}

OK  {K2 | n2  K$OKRevoked}
K maintains OKRevoked. Relying parties
whose QCM interpreters use these
certificates will consult OKRevoked before
making conclusions about membership in OK.
Security Model




Positive variables are monotonic with respect
to approximation. Negative variables are
anti-monotonic with respect to approximation.
Thus positive variables must be underestimated, while negative variables must be
over-estimated.
These are the key theorems for the
denotational semantics of the internal
language.
The operational semantics (implementation) is
shown to conform with the denotational.
Internal Language
Variables and Constants
Keys
K  Key
Constants
c  Key  Num  String  Bool
Comparables
w ::= c | (w,…,w)
Positive variables
x+
Negative variables
xVariables
x
Positive names
u+
Negative names
uNames
u
Polarities
 ::= 0 | + | -
Internal Language
Expressions
e ::= Variables
Constants
Qualified Names
Enumerated Sets
Tuples
Set Unions
Comprehensions
Remote Evals
Co-finite Sets
x
c
e$u
{e,…,e}
(e,…,e)
Union(e)
{e | g,…,g}
e@e
Compl{w,…w}
Internal Language
The Rest
g ::= Generators
Guards
pe
e=e
ee
ee
p ::= Patterns
x | (x,…,x)
d ::= Definitions
u=e
P ::= Programs
d,…,d
Sample Typing Rules
e:0
----- Subsumption
e:
{e1 | g1,…,gn} :  x :  e2 : 
------------------------------------ Polarity for positive
comprehensions
{e1 | x  e2, g1, …, gn} : 
{e1 | g1,…, gn} :  e3 : -
----------------------------{e1 | e2  e3, g1, …, gn} : 
Polarity for positive
comprehensions
Denotational Semantics
Denotational semantics in terms of a
universal domain derived from a
recursive domain equation.
 Monotonicity Theorem:

 Monotone
in positive variables.
 Anti-monotone in negative variables.
 Related comparables are equal.
Operational Semantics
Operational semantics in terms of local
and global operational rules.
 Local Soundness Theorem:
Denotational meaning is preserved by
the local operational rules.
 Soundness Theorem: Global operational
rules provide approximations with
proper polarity.

Conclusions
Policy-directed certificate retrieval is
possible for long-term certificates with
revocation.
 Compilation architecture aids
convenience, but decreases flexibility.
 Precise model of security essential.
