Contributions of SSH Communications Security in PKI
SSH Communications Security has worked with Public Key Infrastructure since mid 1990s. We participated in the creation of the original PKI standards, co-authored an laternate proposal called SPKI (Simple Public Key Infrastructure), and co-authored various protocols related to SSH Key Management and Certificate Management. Some of the work is illustrated here.
Certifier - Advanced Certificate Authority Product
SSH released a certificate authority product called Certifier in 2001. It was way ahead of its time, with support for multiple certificate authorities, multiple registration authorities, automated rules for selecting which certificate authority to get a certificate from, automated policy rules, and strong support for automatic certificate management protocols. Its customers included, for example, Global Crossing (a major telecommunications operator) in the United States.
The product has been licensed to Insta Security Solutions and continues to be actively sold by them, mostly to the telecommunications market. SSH still owns rights to the product, but is not currently selling it directly. Several of the original developers of Certifier still work for SSH.
Simple Public Key Infrastructure (SPKI)
This was work done within the IETF (Internet Engineering Task Force) and was proposed as an alternative to the X.509 standard. SPKI would have addressed many of the weaknesses of X.509 that have become evident in recent years.
Among the main design points of SPKI where:
- Simple yet powerful certificate formats designed from scratch, rather than complex ASN.1 DER encodings, which have resulted in numerous bugs and vulnerabilities over the years.
- A certification model that does not rely on single signers, but rather a K-of-N trust model, so that no single compromised Certificate Authority or government could forge certificates for anyone at will. We've seen examples of bad certificates many times, for example with Symantec improperly issuing 30,000 certificates.
- Powerful access control lists for authorizing operations.
While the work did not lead to a standard, the main documents are available as experimental RFCs.
- RFC 2693 - SPKI Certificate Theory
- RFC 2692 - SPKI Requirements
- Internet Draft: Proposal for SPKI Certificate Formats and Semantics
Certificate Management Protocol Standards
We co-authored some of the IETF Certificate Management Protocol standards that are now used for automatic certificate management in telecommunications devices, routers, and other equipment. These may turn out to be highly important in Internet of Things as well. That was work primary done by Tomi Kause.
- RFC 6712 - Internet X.509 Public Key Infrastructure - HTTP Transfer for the Certificate Management Protocol (CMP)
SSH also owns US Patent 7,356,693 - Method for producing certificate revocation lists. That was work done by Tero Kivinen and Tomi Kause.