X.

509 Certificate
Introduction
An X.509 certificate is a digital certificate that uses X.509 public key infrastructure
(PKI) standard to verify that a public key belongs to the user.

Proposed by the International Telegraph Union Telecommunication Standardization

Sector (ITU-T) in order to standardize formats for Attribute certificates, Public key
certificates, Certificate revocation lists, Certification validation algorithms

Used for identity validation and for transmission of encrypted data that only the
owner of certificate is able to decrypt

X.509 certificates contain information about the owner.

The certificate is tied to a public key value

This tells the application or server that the entity trying to access it is legitimate
History of X.509

X.509 was initially issued on July 3, 1988 and was begun in association with the X.500
standard.

It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the
certificates.

Today the X.500 directory has been abandoned

However,the X.509 trust model has survived and has been largely adopted in the Internet.
The first adoption of this trust model goes back to the X.509 implementation of SSL for
the Web browser Netscape in 1994
Entities in X.509 certificate management.
A Public Key Infrastructure (PKI) is
considered one of the most important
techniques used to propagate trust in
authentication over the Internet.
This technology is based on a trust model
defined by the original X.509 (1988)
standard and is composed of three entities:
1. Certification authority (CA),
2. Certificate holder (or subject)
3. Relying Party (RP)
Certificate is issued by Certification
Authority (CA) and is signed with the
private key of the CA
CA’s private key must be very private, it is
the basis of all trust for issued certificates
Trusted third party issuing certificates
Each CA creates certificates for its
certificate holder (CH) using its own
practices and guarantees to relying party
(RP)
In the X.509 system, an organization that wants a signed certificate requests one via a
certificate signing request (CSR).

To do this, it first generates a key pair, keeping the private key secret and using it to sign
the CSR. This contains information identifying the applicant and the applicant's public key
that is used to verify the signature of the CSR. The CSR may be accompanied by other
credentials or proofs of identity required by the certificate authority.

The certification authority issues a certificate binding a public key to a particular

distinguished name.
Structure of the certificate
Trust Models

Various trust models that are going to be covered:

1. Inter-CA Trust Topologies

2. Recognition by an RP or an Independent TTP

3. Trust Framework Architectural Model (TloCERT Calculation)

1. Inter-CA Trust Topologies

1. Fundamental thought -> Each RP confides in a CA, which guarantees different CAs for
its RPs

2. CAs assume 2 jobs: Certificate manager and declarations recommender.

3. Trust connections between CAs are formalized utilizing cross authentications issued to
each other.
1. Inter-CA Trust Topologies(contd.)
2. Recognition by an RP or an
independent TTP

1. Fundamental thought -> users in a given community can obtain advice from the leader
of this community about the relevance of certificates for their electronic transactions.

2. The recommenders create a list of minimum requirements and recognize all CAs whose
certificates have assurance levels greater than the minimum requirements.

3. The trust list topology may be built using a political process called the cross recognition
process.
2. Recognition by an RP or an
independent TTP(contd.)

1. Cross-recognition differs from cross-certification by the fact that it is not performed by

a CA.

2. The independence of the recommender from CAs and the absence of need to build
certification paths for the validation of certificates, the recognition approach is more
convenient.
3.Trust Framework Architectural
Model(TLoCERT calculation)
1. Fundamental thought -> Determining the factors which have an influence on certificate
trustworthiness is a main task for computing its trust level.
2. The TLoCert calculation method involves quantitatively measuring this trust level.

A. Computing RoCERT -> Three ratings (RoCERT) 0, 0.5, I which are assigned to the
certificate and express its initial correctness evaluation.

B. Calculating the CA trust level TLoCA ->

1) Calculating the RepScore

RepScore = a*rtg+(1-a)OldRepScore
3.Trust Framework Architectural
Model(TLoCERT calculation)
2)Evaluating a SLoCA

The SLoCA values are 1,0.5, and ° that correspond to strong, medium, and weak.

3)Determining TLoCA

C.Calculating the CPQ

The nine primary components: Introduction,Publication and repository,Identification

andAuthentication,Certificate Life-Cycle Operational Requirements,Facilities, Management,
and Operational controls,Technical Security Controls,Certificate,CRL, and OCSP Profile
,Compliance Audit ,Other business and Legal Matters.
3.Trust Framework Architectural
Model(TLoCERT calculation)
2) Formula to calculate CPQ

D. Calculating the TLoCERT

As mentioned previously, computing TLoCERT is based on three parameters that are

the CPQ, TLoCA, and RoCERT.
Conclusion

1. X.509 certificates have been largely adopted today by many people and organizations
for proving their identities.

2. So the reliability and trust levels of these certificates come into question.

3. As a solution, different trust models were proposed and we did a survey on thee
models so as to evaluate each one of these.