In Public Key Infrastructure (PKI), the simple, monopolistic organizational model of certificate issuing entities works fine until we consider real-world issues. Then, issues such as scalability and mutually suspicious organizations create the need for a multiplicity of certificate issuing entities, which introduces the problem of how to organize them to balance resilience to compromise against efficiency of path discovery. Many solutions involve organizing the infrastructure to follow a natural organizational hierarchy, but in some cases, such a natural organizational hierarchy may not exist.

However, systems research has given us secure coprocessing for securely carrying out computations among multiple trust domains. Cryptography has produced a number of methods for distributing cryptographic computations, such as secret splitting and threshold cryptography. Last, distributed computing has given us peer-to-peer networking, for creating self-organizing distributed systems.

In this paper, we use these latter tools to address the former problem by overlaying a virtual hierarchy on a mesh architecture of peer certificate issuing entities, and achieving both resilience and efficiency.


J. Marchesini, S.W. Smith.
"Virtual Hierarchies: An Architecture for Building and Maintaining Efficient and Resilient Trust Chains."
Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC 2002).
Karlstad University Studies. November 2002