Widely hailed as a critical technology for Internet commerce and e-government, PKI (Public Key Infrastructure) has suffered from inherent design flaws that have hobbled adoption and kept it from achieving its full promise. For PKI to work, a trusted certificate must be issued to a user. But certificates sometimes need to be revoked and when they are, the mechanism for spreading word on the Internet is so cumbersome as to be practically unusable beyond narrowly defined groups.
That’s a problem on which researchers at Dartmouth College in Hanover, N. H., are hard at work to solve with a technology known as PRQP (PKI Resource Query Protocol).

“Without PRQP, finding critical replication information can be problematic. How do you know where to look to seek whether the issuer of a certificate has revoked it? In practice, it may be impossible to tell if it had been revoked without PRQP, even though in theory it should work. PRQP tries to distribute this information,” said Dartmouth Professor Sean Smith.

The critical enhancement to PKI took a step nearer to reality recently when it was taken up by the Internet Engineering Task Force (IETF) earlier this year in the PKI X working group. Protocols sometimes gain wide adoption even before gaining the full blessing of the IETF, a process which can take years.

PRQP will gain further currency in the fall of 2009 when it will be included in Open CA, open source software for issuing digital certificates, according to Massimiliano Pala, research fellow at Dartmouth’s Institute for Security, Technology, and Society (ISTS). Open CA is currently being used by some governments and other organizations, according to Pala. The researcher also said he is working on a PRQP client for Mozilla’s Firefox browser, which will be available in September.

The PRQP work at Dartmouth has been funded by the U. S. Department of Homeland Security.