New Performatives

The extension of new performatives is mainly for public key management of agent-based PKI[15].

1. apply-certificate
   In order to securely communicate with others, when an agent is created, it will apply for a certificate in which an automatically generated public key will be included. To apply for the certificate from an authentication authority, a security agent, the agent will send the following performative in the KQML message, as its certificate application.
   apply-certificate:
   :language {name of certificate}
   :content {all the elements of certificate except signature
   of the authority}
   :ontology PKCertificate where the content of ``content'' is all the elements needed to be included in the certificate which is applied. The content of ``language'' identifies the name of certificate, which will enable receiver's KQML parser to know what elements are included as the ``content'' of this performative and then extract them out.

2. issue-certificate

   If an application for a certificate is approved, the security agent in charge of issuing certificates will send back a performative as follow:
   issue-certificate:
   :language {name of certificate}
   :content {issued certificate}
   :senderCert {authority's certificate}
   [:senderCertChain {the certificate chain of authority}]
   [:signature {signature signed by the security agent}]
   :ontology PKCertificate

   Where the content of ``language'' also identifies the type of certificate which should be the type intended by the applicant agent. The issued certificate is included as the content of ``content''.
   Upon receiving this performative, the agent which applies for the certificate can extract the public key in ``certificate'' (authority's certificate) and check the authenticity of the issued certificate by means of verifying the signature in the issued certificate.

3. renew-certificate

   Each time when an agent is going to change its public key, or other pieces of information in its certificate, it will send the following performative to the security agent that issued the original certificate.
   renew-certificate
   :language {name of certificate}
   :content {content of new certificate}
   :senderCert {original certificate}
   :signature {signature on content of new certificate}
   :ontology PKCertificate

   When receiving the performative, the security agent will extract the public key from the original certificate and check the authenticity of the content of new certificate by verifying the signature with the public key. If the authenticity has been verified, the security agent can sign the new certificate and issue it to the applicant by sending back an issue-certificate performative.

4. update-certificate If a security agent updates its public key, it should inform (1) the agents that applied for a certificate from it, and (2) the agents whose certificates were issued by the agents to whom the updated certificate has been sent. All these agents, upon receipt of the update-certificate, will update their CDB and renew their certificates. To inform others about the updated certificate, a security agent should use the following performative:
   update-certificate:
   :language {name of certificate}
   :content {updated certificate}
   :senderCert {original certificate}
   :signature {signature on updated certificate with the
   public key in the old certificate}
   :ontology PKCertificate

   Upon receiving the performative, the receiver will check the authenticity of the updated certificate by verifying signature with the public key included in the original certificate.

5. revoke-certificate

   A certificate could be revoked for some reasons. If a security agent is going to revoke its certificate, it will send the following performative to other agents associated with it, especially the agents that hold the certificates issued by the agent whose certificate is to be revoked. When an agent is informed of revoked certificate, it should also forward the performative to the agents that hold the certificates issued by it.
   revoke-certificate:
   :language {name of certificate to be revoked}
   :content {the certificate to be revoked}
   :signature {signature on the certificate to be revoked},
   :senderCert {certificate}
   :senderCertChain {certificate chain}]
   :ontology PKCertificate
   where the signature is signed with the public key included in the certificate to be revoked.

These are the performatives for the basic certificate management. If, more sophisticated certificate management is needed in the future, additional performatives can be developed.