Bibliography

[MSVSCertDebaucle]
PKI Forum.
"Verisign Fraudulent Certificates".
http://www.pkiforum.com/resources/verisigncerts.html.

Fontana, John.
"VeriSign issues fraudulent Microsoft code-signing certificates".
http://www.nwfusion.com/news/2001/0322vsign.html.

Guerin, Gregory.
"Microsoft, VeriSign, and Certificate Revocation".
http://amug.org/~glguerin/opinion/revocation.html.

[Schneier2000]
Schneier, Bruce.
Secrets and Lies: Digital Security in a Networked World.
New York, NY: John Wiley & Sons.
pp. 225-239.
ISBN: 0-471-25311-1.
Purchase from Amazon or Fatbrain.

[Google2001]
Google, Inc. "Third Party Certificate Authorities".
List of Certificate Authorities at Google.

[OutsourceCite]
Ellison, Carl and Schneier, Bruce.
"Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure".
http://www.counterpane.com/pki-risks.html.

Laurie, Ben.
"Seven and a Half Non-risks of PKI: What You Shouldn't Be Told about Public Key Infrastructure".
http://www.apache-ssl.org/7.5things.txt.

Perez, Aram.
"Response to the Ten Risks of PKI article".
http://homepage.mac.com/aramperez/responsetenrisks.html.

US Government General Accounting Offic.
"Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology".
http://www.gao.gov/cgi-bin/getrpt?rptno=gao-01-277.

[ITUX500Cite]
International Telecommunications Union. "The directory: Overview of concepts, models and services".
http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.500.
See Aqcuiring ITU Specifications for more information.

Chadwick, David W.
Undestanding X.500.
http://www.isi.salford.ac.uk/staff/dwc/X500.htm.

[Nexor2000]
Nexor, Inc. "X.500 and Internet Directories".
http://www.nexor.com/x500frame.htm.

[Netcraft2001]
Netraft, Inc. "Netcraft Secure Server Survey".
http://www.netcraft.com/surveys/analysis/https/2001/Jan/CMatch/certs.html.

[PKCSCite]
RSA Data Security, Inc. Laboratories.
"Public Key Cryptography Standards".
http://www.rsa.com/rsalabs/pkcs/index.html.

Henson, Dr. Stephen N.
"PKCS#12 program Frequently Asked Questions".
http://www.drh-consultancy.demon.co.uk/.

[CertStoreCite]
Glenn, Ariel.
"Certificates shipped with Netscape".
http://www.columbia.edu/~ariel/good-certs/.

Brette, Marc.
"Netscape cert7.db extraction script".
http://www.nosneros.net/hso/publications/referenced_material/xtract.pl

[Callas1998]
Callas, Jon; Donnerhacke, L.; Finney, H.; Thayer, R.
"RFC 2440: OpenPGP Message Format".
http://www.rfc-editor.org/rfc/rfc2440.txt.

[SPKI/SDSI]
MIT CIS Department.
"Cryptography and Information Security Group Research Project: A Simple Distributed Security Infrastructure (SDSI)".
http://theory.lcs.mit.edu/~cis/sdsi.html.

[Dubuisson2001]
Dubuisson, Olivier.
"Introduction to ASN.1".
http://asn1.elibel.tm.fr/en/introduction/index.htm

[Tung1996]
Tung, Brian.
"ASN.1: Wherefore Art Thou?".
http://www.isi.edu/~brian/security/asn1.html

[BERDERCite]
International Telecommunications Union. "Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation".
http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.690.
See Aqcuiring ITU Specifications for more information.

Footnotes

Netscape:
1) click on the lock (lower left hand side of window)
2) look under Certificates and click on Signers

Mozilla:
1) click on Edit located on the menubar
2) click on Prefences
3) click on Privacy and security
4) click on Expand Certificates
5) click on Manage Certificates
6) select the Authorities tab

Internet Explorer:
1) click on Tools located on the menubar
2) click on Internet Options
3) click the Content tab
4) click on Certificates
5) click the Trusted Root Certification Authorities tab

Opera:
1) click on File located on the menubar
2) click on Preferences
3) click on Security
4) click on Authorities

Another PKI that exist is SPKI/SDSI or Simple Public Key Infrastructure/Simple Distributed Security Infrastructure. It is pronounced spooky/sudzy. SPKI/SDSI is interesting in that it attempts to tie authorization, or what a particular entity is permitted to do, directly to the entity's certificate in cyberspace. It is flexible enough to allow one to centralize the certificate store like X.509 or to decentralize it like OpenPGP. SPKI/SDSI can even utilize the certificates that are created with the OpenPGP and X.509 specs. One can also trivially "cross certify" between certificate stores [SPKI/SDSI]. SPKI/SDSI is not yet widely used, in fact I have been unable to find evidence of it getting pervasive acceptance outside of academia. Anyone who knows differently, please correct me if this perception is inaccurate. Additionally, this statement certainly isn't a suggestion that it won't become ubiquitous in the future; SPKI/SDSI, has some exciting possibilities.

X.509 uses another ITU standard, Abstract Syntax Notation One (ASN.1) to define data structures that comprise descriptions of the subjects and objects of X.509. ASN.1 allows standards writers to describe how data should be structured without being tied a specific programming language or protocol. ASN.1 [ASN1Cite] has some simple data types and notation that one can use to build descriptions of more complex sets of data. Expressing data in this fashion prevents ambiguity for the data described and allows disparate groups to build software and hardware that are theoretically interoperable. X.509 uses Distinguished Encoding Rules which are based on Basic Encoding Rules. BER stiplulates that ASN.1 data have a set of identifiers and the length of the data precede the data encoded by BER. DER defines additional rules on how the data be encoded. For further information on BER and DER consult [BERDERCite].

More PKI Resources

The Open-source PKI Book
Sun Blueprints Online PKI Article
The OpenCA project
The PKI Page
NIST's PKI page

ASN.1 Resources

ASN.1 Information Site
ASN.1: Wherefore Art Thou?
ASN.1 - Communication between heterogeneous systems (Downloadable Book)
ASN.1 Complete (Downloadable Book)