WiMAX Certificate Authorities

Unlike UMTS and LTE, it looks like WiMAX will not make use of SIM cards but instead embedded authentication information directly in the device. In a world where only private keys are used, this would bind the device to an operator, i.e. a nice look-in scheme. WiMAX however, uses X.509 certificates issued by a certificate authority. If I understand things right, operator look-in of a device is then decided by whether the public key of the certificate authority is known in public or not. It looks like Verisign for example issues X.509 certificates for WiMAX. Now my big question now is: Are the public keys of certificate authorities used for generating WiMAX X.509 certificates public knowledge? Anyone?

2 thoughts on “WiMAX Certificate Authorities”

  1. I think they’d have to be.
    Given the point of public keys, most infrastructure makes no effort to hide them – this is the part that’s allowed to travel unencrypted to establish encryption for subsequent communication.
    If Verisign (or any cert authority) issues client certificates for which the root and its public key are kept secret (only issued to one telco), then the telco may as well just issue their own certificates at no cost.
    Even then, I expect the public keys of individual devices could be retrieved or intercepted for the purpose of being identified and trusted by another WiMAX provider.

  2. Hi!

    I am just not sure about all of this… In theory, Verisign could offer the service for operators who would like to keep things to themselves and keep the public key of the certificate authority to itself to prevent customers from going somewhere else. The reason for this could be that operators wouldn’t want to invest in a device for key generation? Your guess is as good as mine.

    I agree with you on the point of just using the public key of the user device. As far as I understand the mechanism, it could work. For example: The first time the device tries to get access to the network, the AAA database takes note of the public key and the MAC address of the device. That combination can’t be forged later on. Since the combination cannot be verified without the CA’s public key, the subscriber could be redirected to a landing page to give his credit card details to gain access. Next time he comes back the system recognizes him, grants access automatically or redirects him again to the landing page.

    However, just my best guess at this point. Some further insight is very welcome…

    Cheers,
    Martin

Comments are closed.