It is well known that the integrity of public key vitally determines
the whole security of communication, especially electronic transactions
on the network. So different kinds of Public Key infrastructures (PKI)
[1] are designed and their implementations are currently evolving.
The examples include IETF's PKIx(Public-Key Infrastructure,X.509)
[2, 3, 4, 5],
PKCS(Public Key Crypto System)[6],
PGP(Pretty Good Privacy)[7], SPKI(Simple Public Key Infrastructure)
[8], SDSI(Simple Distributed Security Infrastructure)[9],
etc. Most of the systems are organized in a hierachical manner to issue
and verify the certificates. and there is no single agreed-upon
standard for setting up a PKI. Even those implementations are based on
the same scheme (say X.509 recommendation), they are still not fully
compatible with
each other due to the independent interpretations in their actual
implementation. So it is a crucial issue to overcome the imcompatibility
and enable wide spread authentication offered by PKI.
The simplest solution is to establish a uniform system with only one
kind of certificate format, name space and management protocol.
However,
it is not only infeasible to enforce in practice, but also undesirable
in many situations. For example, in a given
situation, the information of organizational relationships is needed
as an element in a certificate, but in other situations, this
information is not needed and it shouldn't be included in the
certificate for the sake of security and privacy.
This flexibility in PKI implementation requires that multiple
types of certificates, definition of name space, and management
protocols tailored for various applications must be
developed[9].
A software agent is a process which can travel from one place to
another within the telesphere. It can be unattended for a long time.
Once an agent is in a place, it can interact with other agents
to learn new knowledge and fulfil a goal. Nowadays, agents are widely
used in many different kinds of applications.
In this context, our research makes an effort at using the concept of
agent to flexibly implement decentralized PKI[10].
One the other hand, the
development of the Internet is changing the traditional paradigm of
software, which is monolithic and passively operated by
humans, to the new agent-based technology which works cooperatively and
autonomously. Agents, as the new generation of software, will be
delegated by humans to automatically perform tasks, including
digitally conducting transactions across the Internet. Security
issues are identified as critical for the success of agent-based
Internet programming[11]. Agent-oriented authentication
verification services must be supplied for most agent-based
applications. In fact, as primarily human-delegated software,
agents will be an ideal application domain of modern cryptography in
the very near future.
Though agents have been widely used in many applications. It is still
a new idea to introduce the concept of agent to solve security problems.
The treatment
on the security issues of software agent is also very scant.
[12] discussed some
basic principles for agent developers.
In [11],
language for agents to support the secret
communication was discussed based on cryptography techniques. However,
like the applications of public key cryptosystem in human society,
all of security schemes and
protocols designed for open agent society can not make any sense
without a scalable authentication service, and PKI
aim at providing such authentication service.
Further more, security protocols, operations and interoperation
between principals (agents), as well as public key management
are really heavy burden for the ordinary end-users to handle.
The agents themselves should be autonomously and cooperatively
performed by programs running on the Internet so
that the workload of the users can be relieved.
We propose to implement the authorities of authentication
verification service systems as autonomous software agents, called
security agents. This open implementation of agent-based PKI
facilitates interoperable, flexible, and agent-oriented authentication
verification service for various applications.
In this paper, we discuss two aspects of our flexible PKI development: (1)
The security agent concept and its functional modules -- we
describe the fundamental idea of implementing PKI by means
of a security agent. (2) An extension of
Knowledge Query and Manipulation Language (KQML)[13] -- KQML is
a language
and protocol for exchanging information and knoweledge between agents.
We propose a set of new elements to support key management and
secure communication among
agents.