Usable trust anchor management

Abstract

Security in browsers is based upon users trusting a set of root Certificate Authorities (called Trust Anchors) which they may know little or nothing about. Browser vendors face a difficult challenge to provide an appropriate interface for users. Providing usable Trust Anchor Management (TAM) for users, applications and PKI deployers is a complex task. The PKIX working group at Internet Engineering Task Force (IETF) is working on a new protocol, the Trust Anchor Management Protocol (TAMP), which will provide a standardized method to automatically manage trust anchors in applications and devices. Although promising, this protocol does not go far enough to allow users to gather information about previously unknown trust anchors in an automatic fashion. We have proposed the PKI Resource Query Protocol (PRQP)---which is currently an Internet Draft on Experimental Track with IETF---to provide applications with an automatic discovery system for PKI management. In this paper we describe the basic architecture and capabilities of PRQP that allow Browsers to provide a more complete set of trust anchor management services. We also provide the design of a PRQP enabled infrastructure that uses a trust association mechanism to provide an easy solution for managing Trust Anchors for Virtual Organizations.