Contributions of SSH Communications Security in PKI
SSH Communications Security has worked with Public Key Infrastructure (PKI) since mid 1990s. We participated in the creation of the original PKI standards, co-authored an alternate proposal called SPKI (Simple Public Key Infrastructure), co-authored various protocols related to SSH Key Management and Certificate Management, and built an advanced multi-CA certificate authority product. Some of the work is illustrated here.
SSH Certifier - Advanced Multi-CA Certificate Authority Product
SSH released a certificate authority product called SSH Certifier in 2001. It was way ahead of its time, with support for multiple certificate authorities, multiple registration authorities, a policy engine for selecting which certificate authority to get a certificate from, automated policy rules, and support for automatic certificate management protocols and other methods of automated certificate enrollment. Its customers included, for example, Global Crossing (a major telecommunications operator) in the United States, University of Tokio, and Helsinki University of Technology.
The product is now sold by Insta Security Solutions as Insta Certifier. It is primarily known in the telecommunications market. SSH still owns rights to the product, but is not currently selling it directly. Several of the original developers of Certifier still work for SSH.
- Documentation of SSH Certifier 3.0.1
- PKI Forum Advances Interoperability of Certificate Lifecycle Management (Jan 20, 2001)
- SSH Certifier 2.0 Available, partnership with University of Tokio (in Finnish) (June 8, 2001)
- SSH Announces Advanced Online PKI --Public Key Infrastructure-- Interoperability Testing Platform Targeted Toward Developers, Service Providers and Enterprises (Dec 4, 2001)
- SSH to Introduce Two New Application Versions for the SSH Certifier PKI Product Family (Sept 25, 2002)
- SSH Announces Partnership with Rainbow Technologies to Provide Cost Effective and Flexible PKI-Based Token Deployment for Enterprises (Nov 19, 2002)
- Helsinki University of Technology Chooses SSH Certifier to Authenticate Electronic Services (Dec 17, 2002)
- SSH Inks Government Technology Reseller Agreement With IGOV.Com (Apr 8, 2003)
Simple Public Key Infrastructure (SPKI)
The simple public key infrastructure (SPKI) was work done within the IETF (Internet Engineering Task Force) and was proposed as an alternative to the X.509 standard. SPKI would have addressed many of the weaknesses of X.509 that have become evident in recent years.
Among the main design points of SPKI where:
- Simple yet powerful certificate formats designed from scratch, rather than complex ASN.1 DER encodings, which have resulted in numerous bugs and vulnerabilities over the years.
- A certification model that does not rely on single signers, but rather a K-of-N trust model, so that no single compromised Certificate Authority or government could forge certificates for anyone at will. We've seen examples of bad certificates many times, for example with Symantec improperly issuing 30,000 certificates.
- Powerful access control lists for authorizing operations.
While the work did not lead to a standard, the main documents are available as experimental RFCs.
- RFC 2693 - SPKI Certificate Theory
- RFC 2692 - SPKI Requirements
- Internet Draft: Proposal for SPKI Certificate Formats and Semantics
Certificate Management Protocol Standards
We co-authored some of the IETF Certificate Management Protocol standards that are now used for automatic certificate management in telecommunications devices, routers, and other equipment. These may turn out to be highly important in Internet of Things as well. That was work primary done by Tomi Kause.
- RFC 6712 - Internet X.509 Public Key Infrastructure - HTTP Transfer for the Certificate Management Protocol (CMP)
SSH also owns US Patent 7,356,693 - Method for producing certificate revocation lists. That was work done by Tero Kivinen and Tomi Kause.