Any large scale security architecture that uses certificates to provide sec
urity in a distributed system will need some automated support for moving c
ertificates around in the network. We believe that for efficiency, this aut
omated support should be tied closely to the consumer of the certificates:
the policy verifier. As a proof of concept, we have built QCM, a prototype
policy language and verifier that can direct a retrieval mechanism to obtai
n certificates from the network. Like previous verifiers, QCM takes a polic
y and certificates supplied by a requester and determines whether the polic
y is satisfied. Unlike previous verifiers, QCM can take further action if t
he policy is not satisfied: QCM can examine the policy to decide what certi
ficates might help satisfy it and obtain them from remote servers on behalf
of the requester. This takes place automatically, without intervention by
the requester; there is no additional burden placed on the requester or the
policy writer for the retrieval service we provide. We present examples th
at show how our technique greatly simplifies certificate-based secure appli
cations ranging from key distribution to ratings systems, and that QCM poli
cies are simple to write. We describe our implementation, and illustrate th
e operation of the prototype, Copyright (C) 2000 John Wiley gr Sons, Ltd.