Web Services for Consulting the Certification Authorities Catalog

The Semantic Web Trust Portal's Certification Authorities Catalog compiles the information contained in the digital certificate practice statements in a structured manner. The catalog can be browsed using the graphical interface of the PKI Trust Center application as the trust rating of each policy is one of the attributes displayed. This rating can also be consulted via a Web services interface.

Consulting the trust rating of a policy via the REST Web services interface can be done using one of several parameters:

 

  • An end-entity digital certificate (of a user, server or application).
  • The root digital certificate of a certification authority.
  •  The DN of a certification authority.
  • The OID of a certification policy.

Web services for consulting de CA catalog

Below is an example of obtaining the rating of a certification policy using its OID, which is specified in the Web service request.

POST /trustedx-sgw/pkitrustcenterws/rating HTTP/1.1
Host: tx_swtp
Content-Length: 41
Content-Type: application/x-trustedx-certificate xml

<policyoid>2.16.724.1.2.2.2.3</policyoid>
 
 

The following explanation refers to the response generated by the PKI Trust Center Web service once the request is sent. Click on "Try" to generate this response.

The response is an RDF graph and is structured as per Safelayer's security and trust ontologies (rating.owl, cps.owl and pki.owl). If the certification policy is found in the catalog, the Web service returns an RDF graph whose main resource is of the TrustRating type. The most noteworthy properties of this resource are value (the rating of the certification policy), date (the date this rating was assigned) and asserter (the entity that gave the rating). If the certification policy is not found in the catalog, the Web service returns an empty RDF graph.

In the following example, instead of specifying the OID of the certification policy, the digital certificate of a certification authority is sent. Click on "Try" to generate the response.

POST /trustedx-sgw/pkitrustcenterws/rating HTTP/1.1
Host: tx_swtp
Content-Length: 2589
Content-Type: application/x-trustedx-certificate xml

<cax509>MIIHgzCCBmugAwIBAgIQPZfTkwQ5Yio+HE2mvtFzDjANBgkqhkiG9w0BAQUFADCB8zELMAkGA1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMTBkVDLUFDQzAeFw0wMzAxMDgxNjExMThaFw0xOTAxMDcyMjU5NTlaMIIBJjELMAkGA1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0wODAxMTc2LUkpMTQwMgYDVQQHEytQYXNzYXRnZSBkZSBsYSBDb25jZXBjaW8gMTEgMDgwMDggQmFyY2Vsb25hMS4wLAYDVQQLEyVTZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvIEVDVi0yMTYwNAYDVQQLEy1WZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJDSUMtMiAgKGMpMDMxLDAqBgNVBAsTI0FkbWluaXN0cmFjaW9ucyBMb2NhbHMgZGUgQ2F0YWx1bnlhMQ4wDAYDVQQDEwVFQy1BTDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJoUgFs1ryKFTrfMqf/BvSSBenITsbo896owr9WNyPsngblkMpay80EY7pAbDIT6aW+Glre2e+FEKAycrJ95aB/lXI8E65XlSZxGIsvlPjY6WcQ/bMeAm9tr00j7fMFGew47kCPLXIEt75tkhx2ljnFuXXdQIVVzS3izbWc9CKoA6hqxzlkg3LRCyhQ5x7PCknNIaJN3y+N8+Wd+YWrsd+wC+VUz1i0uEwe3fMZJa1bWNq9Lzxc+r6XJOY6E7k4AGqfsHdeoyP6jSPkUdCZv84SNN/TMyL2y+8u4dp06TUdC0Yy3zEcht7/AHu/0CH+YR8XGiPL+0JpuygaUBhD0TYMCAwEAAaOCAtswggLXMB0GA1UdEgQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUTOyNSdQrAgOa0EgwCktrvTF6pjQwggExBgNVHSMEggEoMIIBJIAUoMOLRKo3pUW/l4Ba0fF4opvpXY2hgfmkgfYwgfMxCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ2VuY2lhIENhdGFsYW5hIGRlIENlcnRpZmljYWNpbyAoTklGIFEtMDgwMTE3Ni1JKTEoMCYGA1UECxMfU2VydmVpcyBQdWJsaWNzIGRlIENlcnRpZmljYWNpbzE1MDMGA1UECxMsVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgKGMpMDMxNTAzBgNVBAsTLEplcmFycXVpYSBFbnRpdGF0cyBkZSBDZXJ0aWZpY2FjaW8gQ2F0YWxhbmVzMQ8wDQYDVQQDEwZFQy1BQ0OCEO4rPevUId4UqGKsBPPdxAEwgdwGA1UdIASB1DCB0TCBzgYLKwYBBAH1eAEDAQwwgb4wLAYIKwYBBQUHAgEWIGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlckNJQy0yMIGNBggrBgEFBQcCAjCBgBp+QXF1ZXN0IGNlcnRpZmljYXQg6XMgZW3ocyD6bmljYSBpIGV4Y2x1c2l2YW1lbnQgYSBFbnRpdGF0cyBkZSBDZXJ0aWZpY2FjafMgZGUgQ2xhc3NlIDIuIFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlckNJQy0yMGIGA1UdHwRbMFkwV6BVoFOGJ2h0dHA6Ly9lcHNjZC5jYXRjZXJ0Lm5ldC9jcmwvZWMtYWNjLmNybIYoaHR0cDovL2Vwc2NkMi5jYXRjZXJ0Lm5ldC9jcmwvZWMtYWNjLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAnnbeofQKiDCDVaWjhA1yMutbVA005QJc1ezf9BUJhjT02b7556EELX4Oa7fTXVVE9CL0NCXfSdTBjmE/9Ls2XSPXvX1YuVRB6V0gXBVdeCGkynYzymXPdgASVZTfoh3nnSsOr0zhyT1/6Rji+4CNBAFysLNYu2nJMSPJarXIl3Xrd1KFdJuA8AKXl3Q45oZVe+W7suYDKvqNrdBo0Fhda1G8b7x58HGRFU2vAKmHsSORWxLwaIuOjkK010brpO5tKeLG4dSebteIUwQ2GeyELc2FGuOJgKHtWOWncSkOtRHh9aowyXSmGo9uwbOssJYQL9X0k4dY/U0K/Kea8Ua1RA==</cax509>
 
 

In this case, the response is again an RDF graph and is structured as per the same security and trust ontologies. The difference with the previous example is that the response can include the rating of more than one certification policy as the certification authority can issue certificates under different policies.

If the certification authority to which the digital certificate belongs is in the catalog, the Web service returns an RDF graph whose main resource is of the CertificatePracticeStatement type. This resource can have multiple certification policies associated (CPSPolicy), which are specified via the includes property, and multiple certification authorities, which are specified via the rules property.

Alternatively, instead of a certification authority certificate, you can send an end-entity digital certificate to get the rating of the certification policy used to issue it. To try this out, just replace the and tags in the previous examples with the tags and respectively and paste the end-entity certificate.

Lastly, you can also obtain a trust rating using the distinguished name (DN) of the certification authority. Click on "Try" to generate the response, which again consists of an RDF graph, with the entity's certification policies and their ratings.

POST /trustedx-sgw/pkitrustcenterws/rating HTTP/1.1
Host: tx_swtp
Content-Length: 78
Content-Type: application/x-trustedx-certificate xml

<cadn>CN=AC RAIZ DNIE, OU=DNIE, O=DIRECCION GENERAL DE LA POLICIA, C=ES</cadn>
 
 

This query service can be integrated into the most complex operation flows, into those that take into account the trust rating of a certification authority for making a decision on authorization or access control. Thus, as well as being based on an explicit list of trusted entities accepted by the user or the system administrator (as occurs in the case of the operating systems, browsers and all the applications based on the public key infrastructure), digital certificate validation can be much more dynamic and incorporate the opinion of the PKI experts that feed the Certification Authorities Catalog available in Semantic Web Trust Portal.

This is what happens with the Interidy Identity Provider application, which recognizes as verified the identity attributes that come from a digital certificate that was issued by a certification authority with a trust rating that is above a certain threshold. This process is, therefore, dynamic from two points of view. On the one hand, third-party users and applications do not need to maintain their own catalog of recognized certification authorities; they delegate the trust decision to the Semantic Web Trust Portal catalog. On the other hand, the trust rating for a certification authority is kept up to date as it can change over time, because of the aging or obsolescence of the cryptographic parameters involved or because of new requirements added to the procedures related to the digital certificate life-cycle.

The Spanish Ministry for Industry, Tourism and Trade (Ministerio de Industria, Turismo y Comercio) has co-funded this work as part of the SAT2 project, ref. TSI-020100-2008-365 and TSI-020100-2009-374 of the AVANZA I+D sub-program.

 

©2012 safelayer.com