PKI-based trust management in inter-domain scenarios

Hierarchical cross-certification fits well within large organizations that want their root CA to have direct control over all subordinate CAs. However, both Peer-to-Peer and Bridge CA cross-certification models suits better than the hierarchical one with organizations where a certain level of flexibility is needed to form and revoke trust relationships with other organizations as changing policy or business needs dictate. It seems that this second approach better fits the current and next-generation inter-domain networking models existing in both the wired and wireless Internet. In this context, this paper analyses some relevant inter-domain scenarios and derives the main requirements in terms of cross-certification from them. It then describes the design and lab implementation of a pan-European scenario which is based on a research network composed by a set of organizations that may have their own PKIs running, and that are interested to link with others in terms of certification services. It provides a complete design, implementation and performance analysis for this complex scenario, including a procedure and practical recommendations for building and validating certification paths.