Multi-Level Trust in E-Government Certiﬁcation

Practice

Amel MEDDEB

, Arbia RIAHI

and Manel ABDELKADER

National Digital Certiﬁcation Agency, 3 bis rue d’Angleterre, Tunis RP 1000, Tunisia

Abstract. Trust management has been addressed recently to provide networked

systems with the appropriate mechanisms to perform any conformance checking

with respect to a security policy in e-business and e-government. Trust manage-

ment is an important issue for the deployment and success of e-government. Be-

sides, public-key infrastructures manage trust in data exchanges through email,

over the web and using other electronic means. The principal elements used for

maintaining that trust are the contents of the certiﬁcates and the security safe-

guards established in the environments where various parties are involved. These

two elements are derived from the business requirements, according to the stip-

ulations of the certiﬁcate policy and the applicable regulation. We show in this

paper the need to introduce the paradigm of multi-level trust in e-government

systems, and propose a solution that provides X.509 standards with the modiﬁca-

tions to allow multi-level trust certiﬁcate management, publication, and efﬁcient

use.

1 Introduction

The role that information and communications technologies (ICT) are playing in our

daily lives becomes more pronounced. ICT applications help the improvement of the ef-

fectiveness and efﬁciency of government and change its relationship with the citizens by

improving its process and management. E-government refers to the use of information

technology to overcome the physical bounds of traditional and physical based systems

while offering better quality of service to citizens and enterprises [1]. Its adoption aims

to enhance government services to beneﬁt citizens and enterprises through the use of

web-based Internet applications. To protect transactions and privacy in e-government,

on-line security is essential. Consequently, new problems related to security and privacy

of data networks have emerged.

Various reliable features need to be made available to help a rapid and efﬁcient

deployment of e-government. These features are made up of mechanisms of authenti-

cating users accessing the government network, guaranteeing the integrity of messages,

ensuring the non-repudiation of the intervening parties, and controlling access to sensi-

tive information [2]. An effective approach to contribute to the establishment of trusted

communication between e-government parties is the use of Public Key Infrastructure

(PKI). Through the use of X.509 digital certiﬁcates, PKI veriﬁes the identity of the par-

ties involved in on-line transactions, ensures that data has not been altered in transit,

prevents parties from repudiating having sent (or received) a message, and guarantees

conﬁdentiality of sensitive data.

Riahi A., Meddeb A. and Abdelkader M. (2004).

Multi-Level Trust in E-Government Certiﬁcation Practice.

In Proceedings of the 1st International Workshop on Electronic Government and Commerce: Design, Modeling, Analysis and Security, pages 13-23

DOI: 10.5220/0001405100130023

 SciTePress

Access policies to government services can not be managed easily. According to

a speciﬁc policy, each entity may be granted a set of permissions to perform speciﬁc

actions on certain targets. The architecture, services, and roles performed by the govern-

ment agencies are very divergent in their nature and the way they should be protected.

For example, the protection provided for a given transaction may vary based on the im-

portance of the transaction itself, the data it includes (e.g., amount of money, priority,

privacy, etc.), and the site it accesses. Consequently, many levels of trust need to be

made available in an e-government environment. However, once we get into details, it

becomes increasingly evident that the trust model conforming X.509 is not particularly

appropriate for e-government [3,4]. One major shortcoming of the X.509 certiﬁcates is

that they are not ﬂexible and offer only one level of trust. Therefore, it can not fulﬁll the

requirements of e-government needs.

This paper proposes a multi-trust model integrating the X.509 certiﬁcate model in an

e-government environment. It provides the modiﬁcations needed by relevant functions,

and organizes an appropriate LDAP hierarchy for the publication of multi-trust certiﬁ-

cates. Our contribution is three-fold. First, it keeps the main features of the X.509 (e.g.,

use of global names, certiﬁcates and revocation procedure). Second, it organizes con-

ceptually various layers where certiﬁcates offering the same level of trust are located,

while allowing certiﬁcates to handle more than one trust level. Finally, it describes

and justiﬁes the modiﬁcations to the main functions of certiﬁcate management. The re-

maining part of this paper is organized as follows. In the second section, we address

the different requirements that must be fulﬁlled by a PKI to respond to the different

needs of the e-government and cope with the provision of various levels of trust. The

third section presents the modiﬁcations that should be introduced to a PKI to add the

multi-trust model. In the fourth section, a strategy of analysis is presented to ensure an

adequate choice of a PKI architecture in an e-government environment with multi-trust

levels, and estimate the cost of adding new features. The last section presents a case

study of a model allowing a reduced set of trust levels.

2 Requirements for e-government PKI

In an e-government environment, many issues need to be addressed when establishing

a PKI [1]. These issues include the following tasks:

* Provide public certiﬁcation services (including certiﬁcate public archives for veriﬁca-

tion) and customized registration authorities (RAs).

* Provide technical speciﬁcations for government PKI standard documents (including

documents such as Certiﬁcation Policy and Certiﬁcate practice Statements).

* Issue and manage certiﬁcate services (publishing, revocation, renewal, time stamping,

and validating certiﬁcates).

* Provide application programming interface (API) for data encryption, digital signa-

ture, and digital envelope and many other on-line services.

* Address PKI Interoperability and trust paths including interconnection issues between

Certiﬁcation Authorities (CA), Cross certiﬁcation policy, Cross-border interoperability

with other governments (eg. Bridge CA, Strict hierarchy).

* Consider Information management issues related to digitally signed documents such

as legal archiving and on-line consulting.

As said before, within the frame of government projects, access rights to different

departments are not managed in the same manner. Diversity of applications, services

and policies from an e-government environment to an other may lead to considerable

variability of security requirements and access control needs. Different levels of trust

must be allocated to the intervening individuals and departments, while keeping some

of the centralization feature and dividing the e-government environment into two main

domains: public, where citizens and enterprises can access and interfere, and private,

where access, authentication, and authorizations is strictly handled.

relation <

level of trust

Authority in control of levels

Certificates under level a

separation of the hierarchy levels

highest trust level

sup

lowest trust level

low

Fig. 1. The trust levels in an e-government

The public domain represents the interface with citizens accessing services. To ben-

eﬁt from a service, certain requirements must be deﬁned by the service provider and

fulﬁlled by the service applicants. According to these requirements, the offered ser-

vices can be classiﬁed into different categories based on the users need and constraints.

The private domain contains a set of resources internal to the departments themselves.

Access rights to these resources by the personnel are managed in different ways accord-

ing to their importance and conﬁdentiality and the sensitivity of the resource they may

access. Thus, these resources may be assembled into different categories. To fulﬁll the

e-government needs, the concept of PKI must be adapted. Different levels of trust must

be deﬁned according to the users access rights and service constraints. In this trend,

the classical architecture and functions of PKI must be modiﬁed to satisfy these needs.

Since it is widely used, the X.509 standard will be kept for the adopted certiﬁcate struc-

ture. The contents of the deployed adapted X.509 certiﬁcates should be made in order to

support multi-levels of trust. The trust levels deﬁned in a given e-government environ-

ment should be linked using a relational order, say ¹. Thus, when Λ = {n

, ..., n

level

}

designates the set of authorized levels deﬁned in a given e-government environment,

the following constraint should be kept always true in the sequel:

∀n ∈ Λ, ∀m ∈ Λ : ∃b ∈ Λ, b = lub(n, m) in (Λ, ¹) (1)

Equation 1 means that the ordered set (Λ, ¹) is a lattice; that is, any pair (n, m) of

trust levels should have a least upper bound b ∈ Λ such that (n ¹ b) and (m ¹ b), and

that any level b

satisfying: (n ¹ b

) and (m ¹ b

), should satisfy (b ¹ b

). Moreover,

the need for uniform procedure have led us to consider that the lattice (Λ, ¹) should be

a complete lattice, in the sense that any ﬁnite ordered sequence of trust levels in (Λ, ¹),

say n

¹ n

¹ ... ¹ n

, should have a least upper bound b

sup

. In addition, we assume

that the lattice (Λ, ¹) should have a lowest element b

low

satisfying: ∀n ∈ Λ : b

low

All these assumptions have been considered for the need to provide an environment

where a set of uniform rules can apply for conforming certiﬁcates and CAs. According

to this, many features can be concluded. First, this implies that the e-government has a

central (or root) authority, which is the highest element in (Λ, ¹). Second, this means

that different levels of trust can exist in (Λ, ¹)and could not be compared with each

other. This states that departments occurring in the e-government can manage their own

trust levels with no need to compare them to the other departments. Third, this states

that all department in the e-government agree on a minimal level of trust. The lattice

structure is partially depicted in Figure 1 which shows the link between certiﬁcates and

levels of trust and organizes the trust levels under the control of entities called CAs. Let

us now assume that citizens and enterprises accessing any service in the e-government

should be able to do it and that all identiﬁcation, access control, or authentication pro-

cedure should be based on a unique proof provided by the applicant. In the sequence

we will provide a digital certiﬁcate enhancement to contain the multi-level trust need

by the e-government services.

3 Management of multi-trust in e-government

3.1 Multi-trust certiﬁcate structure

Table 1. Certiﬁcate policies extension syntax

id-ce-certiﬁcatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }

anyPolicy OBJECT IDENTIFIER ::= { id-ce-certiﬁcatePolicies 0 }

CertiﬁcatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyIn-

formation ::= SEQUENCE { policyIdentiﬁer CertPolicyId }

CertPolicyId ::= OBJECT IDENTIFIER

To manage multi-trust, n

level

(> 1) levels must be deﬁned within a PKI framework.

This condition is expressed in the certiﬁcate through the Certiﬁcate Policies Extension

as speciﬁed in Table 1. These extensions are used to indicate the policy under which the

certiﬁcate has been issued and the purposes for which the certiﬁcate may be used [5].

The value of the CertificatePolicies ﬁeld is a set of integers contained in N =

, n

level

}. Each value of these integers corresponds to a trust level of the certiﬁcate.

At the veriﬁcation level, access can be granted to applicant according to the value of

this ﬁeld. Thus, when a citizen or an enterprise is assigned a given subset of trust levels,

the subset is reported in PolicyInformation in the CertificatePolicies

extension. Each level of trust is introduced by a policyIdentifier deﬁned by the

e-government PKI.

In the following, we will present the modiﬁcations to be introduced within the

framework of an e-government PKI that supports multi-trust levels. In this PKI, each

principal (entity or organization) p possesses a a subset N

of trust levels. The repre-

sentation of N

contains only the maximal element assigned to entity p. This means

that whenever n ∈ N

and m is a trust level lower than n, then m is allowed to entity

p. However, for the sake of simplicity we assume that subset N

is at least reduced to

the minimal element in Λ, say ⊇ {b

low

}. The value of ”b

low

” expresses that no trust

level is attributed to entity p, since no interaction can be deﬁned with any domain.

3.2 Hierarchical LDAP

The LDAP repository presents an important role during the veriﬁcation process in PKIs.

The modiﬁcations in the structure of the certiﬁcates used in the PKI have a direct im-

pact on the architecture and the management of the LDAP. The introduction of different

levels of trust in the certiﬁcates should be appearing in the LDAP to facilitate the ac-

cess and the treatments done by the applications of the e-government for the certiﬁcate

veriﬁcations. LDAP can be considered as a set of clusters indexed by the set Λ We can

assume, for the sake of veriﬁcation simplicity, that a certiﬁcate marked by a subset of

trust levels N

occurs in all clusters indexed by N

Each CA, present in the e-government PKI, deﬁnes its LDAP repository to publish

the certiﬁcates and the certiﬁcate revocation lists it generates. LDAP architecture should

distinguish the different levels of trust deﬁned in the certiﬁcates. Two cases should be

examined. First, LDAP deﬁnes a hierarchical data structure. It presents a single root

node under which can be deﬁned different subordinate nodes for any depth chosen by

the administrator. This architecture can be exploited to emphasize the levels of trust

deﬁned in the certiﬁcates generated by a CA. Then, under the root of each LDAP repos-

itory, the information related to the certiﬁcates holders are classiﬁed by organization.

Among these information, we distinguish the levels of trust mentioned in the digital

certiﬁcates. Figure 2 gives an overview of the LDAP architecture. Second, certiﬁcate

retrieval and veriﬁcation in the LDAP should present the ability to read the levels of

trust of the certiﬁcate and to realize the searches using the attribute specifying the trust

level. In this trend, we can adopt the approach of Klasen and Gietz [6,7] which pro-

poses the extraction of the different attributes of the X.509 certiﬁcate and their storage

as researchable attributes in the LDAP repository.

npn1 npn1 npn1

Root

levels

CN1

CN2

O2O1

OU1 OU2 OU3

Fig. 2. The LDAP architecture for multi-trust PKI

3.3 Trust level veriﬁcation

The trust level veriﬁcation is initiated by the applications deﬁned in the e-government

environment. When a citizen desires to beneﬁt from a service, he presents its certiﬁcate

to the given service. The latter extracts the level of trust, by which it is concerned, from

the certiﬁcate. Then, it veriﬁes its existence in the corresponding LDAP repository. At

the LDAP level, the research starts by the determination of the common name and the

level of trust. Next, the existence of the asked certiﬁcate is veriﬁed. In addition, the

certiﬁcate is searched in the certiﬁcate revocation list of that level.

4 PKI organization

4.1 Registration

During the registration process, user applies for a certiﬁcate with a given trust level. RA

must deﬁne a set of procedures for user identity veriﬁcation related to each trust level.

When applying for a certiﬁcate, concerned entities must submit certain information.

The correspondence between the provided information and the required certiﬁcate level

of trust must be deﬁned and veriﬁed by RA. If this correspondence is veriﬁed, the RA

generates a certiﬁcate request containing the user’s public key and the certiﬁcate infor-

mation including information related to the trust level. If the correspondence can not be

veriﬁed, RA must contact the applicant to review the level of trust that he/she applies

for. In situations where an applicant wants to add a new level of trust, the following four

cases have to be considered.

First, if the user with a trust level n

in some domain requires to upgrade his trust

level inside that domain. Then, a new trust level n

will be assigned to him under the

condition that there exist a direct relation between n

and n

expressed by n

≥ n

The ﬁrst certiﬁcate with the trust level n

must be revoked before the generation of the

certiﬁcate with the new level of trust.

Second, if a user belongs to many different domains, then he can have a certiﬁcate that

contains as many trust levels as many domains to which he belongs.

Third, if the trust level in some domain of a given user must be modiﬁed and there is

no direct relationship between the old trust level and the required one (n

), then the

user gets a new certiﬁcate with the trust level n

in addition to his old certiﬁcate. One

of these certiﬁcates can be presented in function of the level of trust required by a given

application.

Fourth, if we consider the case of CA, the trust level is denoted n

. For each n ∈

low

, b

sup

}, CA can only issue certiﬁcates to entities with a trust level n

entity

< n

This means that a given CA in the considered environment can not issue certiﬁcates to

entities with a higher trust levels than that it owns.

Illustrative example. If an employee is working for one department and he/she has

been promoted without changing his/her workplace, then he/she can beneﬁt from a

higher level of trust in that department. His certiﬁcate must be replaced by a new cer-

tiﬁcate with a higher level of trust (see ﬁrst case). However, if an employee works for

user−domain

(> 1) departments, he/she can require a certiﬁcate with n

user−domain

trust levels. The way this is done proceeds ﬁrst by choosing the maximal levels of trust,

then deﬁning a subset N

contains these levels, and ﬁnally mark the correct certiﬁcate

with N

(see second case). Finally, if we consider the case of an employee involved into

two independent e-government domains ; then two certiﬁcates must be generated. The

ﬁrst certiﬁcate is used in the ﬁrst domain which requires a given trust level ; whereas

the second certiﬁcate will be used in the second domain that deﬁnes dissimilar trust

requirements. Speciﬁc values of trust must be attributed to each certiﬁcate but are in-

dependent since each certiﬁcate will be used in a separate context. This means that one

certiﬁcate can be kept in use but may not cover all potential activities of the certiﬁcate

holder (see third case).

4.2 Generation

The generation process takes place once CA receives the certiﬁcate request. The num-

ber of PolicyIdentifier ﬁelds is equal to the number of the trust levels. These ﬁelds

are added when the request ﬁle is generated as speciﬁed in 3.1. The standards PKCS

are slightly modiﬁed accordingly. CA authenticates the origin of the certiﬁcate request

and, then signs the certiﬁcates with the requested trust levels. After its generation, the

certiﬁcate publication starts at this level of the PKI. For the commodity of servers man-

agement, we propose that, at least, every certiﬁcate authority publishes certiﬁcates it

generates on a publication server it manages.

4.3 Revocation

Revocation process occurs when any information in the certiﬁcate is modiﬁed. It is

preferable to customize the periodicity and the priority of certiﬁcate revocation and

CRL issuance according to the level of trust. A set of procedures is deﬁned for each level

of trust. Certiﬁcates with high level of trust need strong authentication (eg. physical

presence).

If it is a concern of priority, then the trust level must be taken in consideration.

Certiﬁcates with a low level of trust can be gathered in bundles and revoked together.

Authentication through passwords is enough to authenticate their holders. The lasting

period of revocation request can be set in function of certiﬁcate levels of trust. Cer-

tiﬁcates with a high level of trust must be revoked immediately if the applicant can

be correctly authenticated. If this requirement can not be fulﬁlled at the moment of

application, certiﬁcates are suspended at the revocation request reception and then re-

voked after applicant authentication. Certiﬁcates with a high level of trust are prior to

be revoked. A new CRL must be issued after each certiﬁcate revocation and then made

available for e-government entities. Periodicity of CRLs issuance and publication vary

in function of the trust level. Thus, a set of rules must be clearly deﬁned by the PKI to

handle certiﬁcate revocation and CRLs in function of the relevant level of trust.

4.4 Veriﬁcation

The veriﬁcation process can be divided into two parts. First the veriﬁer must construct

the trust chain beginning from the end user’s certiﬁcate until the root CA. Then, the

veriﬁer must verify whether each certiﬁcate in the chain is valid. Second, the trust level

in the certiﬁcate must be veriﬁed to check whether the certiﬁcate holder has the right

to access a given resource in a given environment. When accessing the LDAP server to

verify a user’s certiﬁcate, the common name and the trust levels of the certiﬁcate holder

are extracted. The veriﬁcation is performed when examining the corresponding entries

in the LDAP hierarchy to check whether the level of trust assigned to the end entity is

exact and whether the certiﬁcate is valid (by examining the CRL).

4.5 Publication

The publication process is initiated by the CA. In the publication server, the information

related to each entry are classiﬁed under its relevant organization name and organization

unit name. When a request is sent to the server to add up one entry, the server must

extract the level(s) of trust from the certiﬁcate to be published. These levels must appear

as researchable attributes in the repository content.

5 Strategy of analysis

In the proposed model of PKI with multi-trust support, the compliance with X.509

standard is kept unchanged. Our model can be implemented based on the existing PKI

platforms. In fact, to adopt the suitable solution to implement the PKI, we must analyze

and compare the existing products in order to compare the cost of adding the new fea-

tures to the existing platforms. To this end, a set of criteria and comparison rules must be

built to distinguish between them. When evaluating PKI products, the NSS group con-

siders the following sets of criteria: certiﬁcate support, revocation methods, scalability,

security, PKI topologies, registration mechanisms, directory support, smart card/token

support, key management, management interface, interoperability, third party applica-

tion support, price, etc. [8]

Available platforms do not support multi-trust levels. The strategy analysis pre-

sented in [8] does not invoke sufﬁcient parameters to evaluate the PKI products . Ef-

fectively, conformity with law requirement is not considered in [8]. We have added to

these criteria some other criteria that we found appropriate to consider to achieve a bet-

ter solution for multi-level trust integration. Among those criteria, we can mention the

audit of functions related to multi-level management, LDAP hierarchy veriﬁcation and

certiﬁcate modiﬁcation.

On the technical level, to ensure that multi-trust is supported in a given PKI, dif-

ferent conditions must be veriﬁed. First, adding extensions must be allowed by the

PKI. Second, the maximum number of trust levels permitted by the PKI must meet the

e-government needs. Third, the veriﬁcation at the LDAP level must permit the string

matching technique. Once fulﬁlled, these requirements can guarantee the support of

multi-trust level certiﬁcates. As we seen before, the other modiﬁcations that we intro-

duced to the classical PKI are related to practices and rules which can be developed

outside the PKI software.

6 Case study : a two-color model

6.1 Certiﬁcation Policy establishment

In an e-government environment, the majority of citizens interact with two domains

: their job domain and the remainder part of the government. Some citizens, but not

all, have more than one job. Their percentage can be considered very small. So, we

can admit that each entity is characterized by two levels of trust {n

, n

}, where :

∈ {b

low

, b

sup

} refers to the level of trust assigned to the entity inside the department

to which he/she belongs while n

∈ {b

low

, b

sup

} refers to the trust level of that entity

outside the same department. We assign the following levels of trust for the following

particular cases : (1) Jobless end-users : (b

low

, n

), (2) CAs : (n

, b

low

Here, the value of ”b

low

” is assigned when no trust level can be attributed because

no interaction can be deﬁned between the certiﬁcate holder and some domain. For the

ﬁrst case mentioned above, no department can be affected to jobless users. So, the value

of ”b

low

” is affected as a trust level of that user inside some department. However, in

the case of CA, no external relationship are deﬁned, the value of ”b

low

” is assigned to

that authority outside its scope of operation.

6.2 PKI functions

During the registration process, a user applies for a certiﬁcate with a given trust level

, n

). A veriﬁcation process must be performed by RA. If this succeeds, RA gener-

ates a certiﬁcate request containing the user’s public key and the certiﬁcate information

including trust level parameters. If the applicant wants to add a new level of trust, then

the following case have to be considered.

First, if the user possesses a trust level (n

, n

) requires to upgrade the trust level

deﬁned in his department. A new trust level (n

, n

) will be assigned to him provided

that there exists a direct relation between n

and n

expressed by n

> n

. The ﬁrst

certiﬁcate with the trust level (n

, n

) must be revoked before the generation of the

certiﬁcate with the higher level of trust.

Second, if a user belongs to two different departments, then he can have a certiﬁcate

that corresponds to each department to which he belongs. For example, if a user works

for n

user−dept

> 1 departments, then he can require n

user−dept

certiﬁcates.

Third, if the trust level assigned to a given user outside his department ; two cases

are conceivable. (1) If there is a direct relationship between the requiered level n

and

such as n

> n

, the user gets a new certiﬁcate with the trust level (n

, n

) and

the old certiﬁcate is revoked. (2) If not, the user gets a supplementary new certiﬁcate

with the required trust level. One of these certiﬁcates can be presented in function of

application requirements.

Fourth, if we consider the case of CA, the trust level is denoted (n

, b

low

). For each

n ∈ {b

low

, b

sup

}, CA can only issue certiﬁcates to entities with a trust level (n

, n

)

with n

< n

and n

< n

. This means that a given CA in the considered envi-

ronment can not issue certiﬁcates to entities with a higher trust levels.

After the certiﬁcate generation, the CA ensures its publication in its LDAP repos-

itory. The architecture of the latter is organized in a such a way that two ﬁelds are as-

signed to the trust levels. In this nomenclature, the management of the LDAP server and

certiﬁcate veriﬁcation become easier due to the use of two levels of trust only. When

a user desires to accede to a particular application or resource, a veriﬁcation process

of his presented certiﬁcate must be performed. Depending on the minimum required

trust level, the application extracts the signiﬁcant parameter in the couple (n

, n

) and

veriﬁes the access rights attributed to the end-user.

6.3 Implementation issues

For the purpose of multi-level trust PKI implementing, the use of open-source software

can fulﬁll the suggested requirements. For example, the use of openssl

with its cryp-

tographic functionalities can be a satisfying option for a standard solution. Moreover,

openssl is worldwide used and can be easily manipulated. Thus, the different PKI

roles can be separated from each other according to the environment requirements (RA,

CA, end-user). In addition, the printable ﬁelds in a X.509 can be speciﬁed in such a

manner to insert the trust level information corresponding to the certiﬁcate holder. We

must notice that, with openssl, the certiﬁcate authority manager has to intervene only

on some speciﬁc points. Time can be then saved efﬁciently. Another characteristic of

openssl that may encourage its use in a large-scale environment is the possibility of

databases building to manage users certiﬁcates, keys, and other active elements of cer-

tiﬁcation. Up to here, openssl can be used to perform the following functions of the

PKI : registration (key and request generation), certiﬁcate generation and revocation.

The publication and veriﬁcation of certiﬁcates are two essential functions when

implementing a multi-level trust PKI in the e-government environment. For the pub-

lication purpose, an open-source solution such as openldap

is available for use.

On its own, openldap offers a complete publication service for certiﬁcates and CRLs

with hierarchical structure. However, one shortcoming of openldap is the rigidity of

matching. openldap does not use the same encoding used in the X.509 certiﬁcate.

Thus, it is unable to perform a research using attributes existing inside the X.509 cer-

tiﬁcates. To overcome this insufﬁciency, new attributes must be added in the repository

as searchable parameters and as they are listed in the certiﬁcate. The openldap as it

is currently deﬁned does not present this possibility.

In this trend, two solutions can be adopted. First, an intelligent database for certiﬁ-

cates can be built to support different types of encoding formats and new requests can

be added to interact with the database. This approach can remedy to the limited set of

request predeﬁned in the LDAP protocol. The second solution consists of building an

external module for conformity testing. This can be achieved without modifying the

repository structure but requires a veriﬁcation rules building to manage accesses to the

repositories and to involved applications requested by certiﬁcate holders.

7 Conclusion

The world is moving toward more complex and open PKIs structures. In addition, e-

government requirements in term of trust become more and more pronounced. People

http://www.openssl.org

http://www.openldap.org

can have multiple certiﬁcates, which may belong to different PKIs and may be used in

environments having variable security requirements. Similar situations may lead to a

considerable cost for users in term of time, money and complexity. Thus, the limited

expressiveness of current certiﬁcate becomes a concern to manage multi-trust levels in

different e-government domains.

We have attempted in this paper to propose a model that integrates the concept of

multi-level trust through the use of X.509 certiﬁcates. We have also adapted it to the

need of managing access control and authentication in e-government. Then, we have

considered the main modiﬁcation needed by a PKI to handle digital certiﬁcates marked

with a subset of trust levels. We ﬁnally presented a case study in an e-government

environment in which two trust levels are deﬁned.

References

1. Boudriga, N., “Technical Issues in Securing E-government,” IEEE international conference

on systems, men, and cybernetics (SMC02), Tunisia, 2002.

2. Benabdallah, S., Guemara El Fatmi, S., Boudriga, N., “Security Issues in E-Government Mod-

els: What Governments Should do ?,” IEEE international conference on systems, men, and

cybernetics (SMC02), Tunisia, 2002.

3. Chadwick, D.W., An X.509 Role Based Privilege Management Infrastructure, Business Brief-

ing - Global InfoSecurity 2002, World Markets Research Centre Ltd, ISBN: 1-903150-52-3,

2001.

4. Chadwick, D.W., Otenko, A., ”The PERMIS X.509 Role Based Privilege Management In-

frastructure,” Future Generation Computer Systems, 936 (2002) 113, 2002. Elsevier Science

BV.

5. Chokhani, S., Ford, W., Sabett, R., Merrill, C., Wu, S., “Internet X.509 Public Key Infrastruc-

ture Certiﬁcate Policy and Certiﬁcation Practices Framework,” RFC 3647, 2003.

6. Chadwick, D.W., Ball, E., Sahalayev, M.V., ”Modifying LDAP to Support X.509-based PKIs,”

Working Conference on Database and Applications Security to be held August 4-6 2003 Col-

orado.

7. Chadwick, D.W., “Internet X.509 Public Key Infrastructure Operational Protocols : LDAPv3,”

Internet Draft <draft-ietf-pkix-ldap-v3-05.txt>, 2002.

8. NSS Group Report “Public Key Infrastructure,” Group Test Edition 6 - 2003.