X.509 identity certificates with local verification

Authentication in various communication systems and protocols is often based on X.509 identity certificates. The verification of these certificates requires a global trust anchor (certificate authority) that is accepted by the communication partners that attempt to authenticate to each other. The nonavailability of the services of this trust anchor, especially certificate revocation services, prevents successful authentication and communication. The trust anchor therefore constitutes a single point of failure. This is not acceptable for mission-critical communication systems such as the future aeronautical telecommunications network that will support air traffic control. Within this paper, an extension to X.509 identity certificates is proposed that allows the authenticating partners to verify each other´s certificate without a global trust anchor. Instead, a distributed architecture is introduced where communication partners only require the services of a local trust anchor. No intertrust domain operations are therefore required for the verification of our extended certificate format.