ATM Forum specifies public key cryptography to be the default ATM authentication
mechanism and directory services like X.509 to be the infrastructure for public
key distribution and certification. Authenticated signaling, widely acknowledged
as a necessary security feature of ATM network, requires the signaling message to
be authenticated with a digital signature signed by the private key of the calling
party. To verify the digital signature, the called party needs to obtain the public
key of the calling party and a proof of the calling party's ownership to that public
key. In X.509, the standard form of such a proof is a chain of public key certificates,
called the certificate path between two parties. Certificate exchange protocol
(CEP), proposed by ATM Forum, requires that another bi-directional connection
be established between two parties to exchange public keys and certificate paths
before an authenticated connection can be set up, which is not an ideal approach.
We propose an algorithm which is embedded into ATM routing protocols to generate
a certificate path inside a signaling message on-the-fly as the signaling message
travels through the ATM network. In this approach, all that a calling party needs
to know for authentication purpose is its own public key certificate and the ATM
network builds the rest of the certificate path for it. Related issues like distribution
of public key certificates and optimization of CA hierarchy are also addressed in
this paper.