PKI implementations today are used to bind identities to public keys and manage the revocation of the resulting certificates. This workshop, however, considers the full range of public key technology
used for security decisions. At the "relying party" end, where the certificates are actually used, completing a transaction includes discovery and interpretation of relevant security information the validity of which is verified against appropriate roots of authority. There are many security decisions (concerning authentication and authorization) to be made and they need to be made correctly. All of this needs to occur with tools that are simple to use correctly (by developers and by end-users) and pleasant enough that one would choose to use them.

This workshop among leading security researchers will explore the issues relevant to this area of security management, and will seek to foster a long-term research agenda for authentication and authorization in populations large and small via public key cryptography. The workshop is intended to promote a vigorous and structured discussion among the leading academic and corporate developers and the user community---a discussion well-informed by the problems and issues in deployment today.

We solicit papers, panel proposals, and participation.

The goals of this workshop are to cross-pollinate existing research efforts, to identify the key remaining challenges in deploying public key authentication and authorization, and to develop a research agenda addressing those outstanding issues.

• What are the key areas in current PKI approaches that need further work?
• For each area, what approaches appear most promising? How do the approaches in one area affect the methodologies in other areas?

The results will be promulgated in several ways, including:

• a published proceedings with refereed papers and summaries of workshop discussions
• the workshop web site: http://middleware.internet2.edu/pki03/
• experimental initiatives within higher education

Outstanding papers will be invited for possible publication in ACM TISSEC.

Presentation formats will include:

• Refereed papers
• Panel discussions
• Invited talks
• Work-in-progress updates

Submitted works for panels, papers and reports should address one or more critical areas of inquiry. Topics include (but not are not limited to):

• Cryptographic methods in support of security decisions
• The characterization and encoding of security decision data (e.g., name spaces, x509, SDSI/SPKI, PGP, XKMS, SAML, WSS), policy mappings and languages, etc.
• The relative security of alternative methods for supporting security decisions. Risk management.
• Correctly interpreting the results of a private key operation or a public key operation. Interpreting signed objects that have active code.
• Key management and rollover, and certificate management and rollover
• Privacy protection and implications of different approaches
• Scalability of security systems - are there limits to growth?
• Security of the various components of a system: private keys, root authorities, certificate storage, communications channels, code, directories, etc.
• User interface issues with naming, multiple private keys, selective disclosure
• Mobility solutions
• Approaches to attributes and delegation
• Discussion of how the "public key infrastructure" may differ from the "PKI" traditionally defined
• User Interface issues in PKI tool construction, and the security implications of different UI choices
• Reports of real-world experience with the use and deployment of PKI, especially where future research directions for PKI are indicated
• What is missing? The gaps in PKI reasarch and standards from a systems engineering point-of-view

Papers should be submitted electronically, in PDF, formatted for standard US letter-size paper (8.5 x 11 inches). The final version of refereed papers should ideally be between 8 and 15 pages, and in no case more than 20 pages.

Proposals for panels should be no longer than five pages in length and should include possible panelists and an indication of which of those panelists have confirmed participation.

Please submit the following information by email to pkichairs@internet2.edu:

• The full contact details (name, affiliation, email, phone, postal address) of one author who will act as the primary contact for this paper.
• The full list of authors: you must supply the first name, the last name and the affiliation of each author.
• The finished paper in PDF format as an attachment.

All submissions will be acknowledged.

The deadline for submission is January 31, 2003. Requests for short extensions will be granted on a case-by-case basis, and must be requested by January 31st via email to the same address.

When appropriate, authors should arrange for a release for publication from their employer prior to submission. Papers accompanied by non-disclosure agreement forms are not acceptable and will be returned to the author(s) unread.

Submissions of papers must not substantially duplicate work that any of the authors have published elsewhere or have submitted in parallel to any other conferences or journals.

The registration fee will be waived for presenters. A limited number of stipends are available to those unable to obtain funding to attend the workshop. Further information will be available on the registration page in January.

Student Stipend Requests