1. Australian PKI experience
US PKI experience
Australian PKI experience
Policy mappings
Bridge CA
Disseminate scheme OID
Admin
System 1
System 2 X X X
Online
Service X ? Y ?
Level of Responsibility / Trust 2 X
Scheme X
External RP X 1 ?
Scheme Y B X A
In a typical public service PKI, trust levels are like security clearances. Officials in different systems need to be able to ascertain one another’s trust level, to judge whether classified information can be disclosed/trusted.
The Relying Party’s question is: Is your trust level equivalent to mine, or is it higher or lower?
Cross certification between the issuers of A and B’s credentials delivers additional credentials (cross certificates) to demonstrate equivalence of the respective originals. Alternatively, the Bridge CA, equipped with a database of mapped Policies from each member system’s PKI, delivers a real time answer to the question of equivalence of credentials.
In a scheme based PKI, members are issued credentials by the administrator who vouches for their legitimacy to carry out prescribed types of transactions governed by the scheme. The scheme is not necessarily closed, but all Relying Parties must recognise, out of band, the authority of the scheme.
The Relying Party’s question is: Are you a legitimate member of scheme X which I recognise?
Automatic [cross] recognition of a member’s credentials – as required by a service provider within the scheme or a Relying Party outside the scheme – is enabled by unique Policy Identifiers contained in the credentials.
Stephen Wilson