Cleaning up the PKI for Long-Term Signatures

  • Martín A. G. Vigil Technische Universität Darmstadt
  • Ricardo Felipe Custódio UFSC


In this paper we present a new approach for the conventional X.509 Public Key Infrastructures (PKI). Our goal is to reduce the effort to handle signatures in the long term. The novelty is that a Root CA reissues subordinate certificates of final users, but adjusting validity periods to exclude the periods after a revocation. The Root CA also authenticates timestamps. The result is the cleaned PKI, which is simpler than the conventional PKI because: a) there is no revocation; b) there is no intermediary Certification Authority; c) signatures are trustworthy as long as the used cryptographic algorithms remain secure. As benefits, we reduce the need of timestamps and consequently the demand for storage space and processing time to use signed documents.


Adams, C., Cain, P., Pinkas, D., and Zuccherato, R. (2001a). Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). RFC 3161 (Proposed Standard).

Adams, C., Sylvester, P., Zolotarev, M., and Zuccherato, R. (2001b). Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols. RFC 3029 (Experimental).

Ansper, A., Buldas, A., Roos, M., and Willemson, J. (2001). Efficient long-term validation of digital signatures. In Public Key Cryptography, pages 402–415. Springer.

Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard).

ESI (2008). Electronic Signatures and Infrastructures (ESI); Profiles of XML Advanced Electronic Signatures based on TS 101 903 (XAdES). Technical report, European Telecommunications Standards Institute.

Gondrom, T., Brandner, R., and Pordesch, U. (2007). Evidence Record Syntax (ERS).

Gutmann, P. (2002). Pki: it’s not dead, just resting. Computer, 35(8):41– 49.

Huhnlein, D., Korte, U., Langer, L., and Wiesmaier, A. (2009). A comprehensive reference architecture for trustworthy long-term archiving of sensitive data. In New Technologies, Mobility and Security (NTMS), 2009 3rd International Conference on, pages 1–5. IEEE.

ITI (2008a). Declaração de Práticas de Certificação da Autoridade Certificadora Raiz da ICP-Brasil. Instituto Nacional de Tecnologia da Informação, Brasília, v.4.0 edition. DOC-ICP-01.

ITI (2008b). Requisitos Mínimos para as Políticas de Certificado na ICPBrasil. Instituto Nacional de Tecnologia da Informação, Brasília, v.3.0 edition. DOCICP- 04.

ITU-T (2005). Recommendation X.509 (08/2005) - Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks. Technical report, ITU-T.

Kohnfelder, L. M. (1978). Towards a practical public-key cryptosystem. Technical report, Massachusetts Institute of Technology.

Le, D., Bonnecaze, A., and Gabillon, A. (2008). A secure round-based timestamping scheme with absolute timestamps (short paper). Information Systems Security, pages 116–123.

Levi, A., Caglayan, M., and Koc, C. (2004). Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM Transactions on Information and System Security (TISSEC), 7(1):21–59.

Martinez-Pel, R., Satiz, C., Rico-Novella, F., and Forn, J. (2008). Efficient Certificate Path Validation and Its Application in Mobile Payment Protocols. 2008 Third International Conference on Availability, Reliability and Security, pages 701–708.

Merkle, R. C. (1989). A Certified Digital Signature. In Brassard, G., editor, Advances in Cryptology - CRYPTO ’89, volume 435 of Lecture Notes in Computer Science, pages 218–238. Springer.

Micali, S. (2002). Scalable certificate validation and simplified pki management. In 1st Annual PKI Research Workshop, page 15.

Moecke, C. T., Custódio, R. F., Kohler, J. G., and Carlos, M. C. (2010). Uma ICP baseada em certificados digitais autoassinados. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 91–104, Fortaleza. SBSEG.

Myers, M., Ankney, R., Malpani, A., Galperin, S., and Adams, C. (1999). X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (Proposed Standard).

National Institute of Standards and Technology (2007). Recommendation for Key Management – Part 1: General (Revised).

Rivest, R. (1998). Can we eliminate certificate revocation lists? In Financial Cryptography, pages 178–183. Springer.

Vigil, M. A. G., da Silva, N., Moraes, R., and Custódio, R. F. (2009). Infra-estrutura de Chaves Públicas Otimizada: Uma ICP de Suporte a Assinaturas Eficientes para Documentos Eletrônicos. In IX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), Campinas.
VIGIL, Martín A. G.; CUSTÓDIO, Ricardo Felipe. Cleaning up the PKI for Long-Term Signatures. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 12. , 2012, Curitiba. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2012 . p. 140-153. DOI:


1 2 > >>