PKI seems to be here to stay. PKI does provide solutions to quite many problems but at the same time it introduces a new problem to be solved: certificate lifecycle management. In this thesis, we focus on certificate revocation and the way that Certificate Status Information (CSI) is being disseminated to the appropriate stakeholders.

Quite many CSI mechanisms have been proposed already, each one attempting to improve some aspect or aspects of the CSI dissemination process. This is good for research, simply because this is how research moves on. Step after step, improvement over improvement, counter proposition over proposition, trial and error. However, there does not seem to exist a unified framework for the comparative evaluation (be it qualitative and/or quantitative) of the various CSI mechanisms already proposed in literature. We argue that such an evaluation framework could prove to be useful in further advancing research in the domain, especially now that many different CSI mechanisms have already appeared in the literature. Such an evaluation framework could also prove to be useful in real life scenarios (i.e. outside the research lab), when someone has to decide on the CSI mechanism to use, depending on the needs of the particular case.

Another issue with the proposed CSI mechanisms is that they focus on improving performance and timeliness of information, downsizing bandwidth requirements, meeting legal requirements. However, there is one actor in the PKI scene one almost always neglects to take into account: the end user. PKI addresses to the masses, but the average end user is probably not tech savvy. One should not expect the end user to comprehend the inner workings of the CSI mechanism in order to use it effectively. One should not probably expect as well the end user to appreciate the need for locating, retrieving and verifying CSI and to act upon that.

It seems that right now the weakest link in the chain of PKI is the end user who may (or may not) use the available CSI mechanisms to verify some signed piece of information or verify the authentication data some entity provides. CSI research should also focus on improving this aspect, i.e. the transparency of CSI mechanisms.

In this thesis, we present a taxonomy of CSI mechanisms and an evaluation framework for them. We also use our evaluation framework in order to present a comparative evaluation of the CSI mechanisms proposed in the literature. We believe our evaluation framework can be of use in further researching CSI mechanisms.

We then focus on the issue that most CSI mechanisms tend to neglect: that of CSI mechanism transparency. A user should not have to comprehend the mechanics of CSI mechanisms in order to use them and should not also be highly trained regarding security to be able to operate in the PKI world.

We develop a prototype for a CSI dissemination mechanism, which we call Alternative Dissemination of Certificate Status Information (ADoCSI). This mechanism uses Software Agents in order to disseminate CSI, and also uses some of the properties and functionality offered by the other CSI mechanisms. We believe that ADoCSI addresses some of the issues that emerge from the use of the other Certificate Status Information dissemination mechanisms. It certainly increases the level of transparency, thus providing a solution to the aforementioned “weakest link” problem, being the dependent entity, which one should not expect to have high levels of information security awareness.