Proxy Certificates: The Missing Link in the Web's Chain of Trust

06/25/2019
by   L. Chuat, et al.
0

The ability to quickly revoke a compromised key is critical to the security of a public-key infrastructure. Regrettably, most certificate revocation schemes suffer from latency, availability, or privacy issues. The problem is exacerbated by the lack of a native delegation mechanism in TLS, which increasingly leads domain owners to engage in dangerous practices such as sharing their private keys with third parties. We investigate the utility of "proxy certificates" to address long-standing revocation and delegation shortcomings in the web PKI. By issuing proxy certificates, entities holding a regular (non-CA) certificate can grant all or a subset of their privileges to other entities. This fine-grained control on delegating privileges requires no further actions from a CA, yet does not require trust on first use (TOFU). The lifetime of a proxy certificate can be made almost arbitrarily short to curb the consequences of a key compromise. We analyze the benefits of this approach in comparison to alternatives, discussing various use cases and technical implications. We also show that combining short-lived proxy certificates with other schemes constitutes an attractive solution to several pressing problems. Overall, we make the case that the benefits obtained from incorporating proxy certificates into the current PKI substantially outweighs the changes required in practice. Such changes are minimal, and would only be required on the browser end, should a domain owner opt to use proxy certificates.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
12/21/2022

Secure and Privacy Preserving Proxy Biometrics Identities

With large-scale adaption to biometric based applications, security and ...
research
05/15/2023

Trustchain - Trustworthy Decentralised Public Key Infrastructure for Digital Credentials

The sharing of public key information is central to the digital credenti...
research
09/29/2021

On Assessing the Usefulness of Proxy Domains for Developing and Evaluating Embodied Agents

In many situations it is either impossible or impractical to develop and...
research
09/12/2017

Enemy At the Gateways: A Game Theoretic Approach to Proxy Distribution

A core technique used by popular proxy-based circumvention systems like ...
research
11/13/2022

OpenPGP Email Forwarding Via Diverted Elliptic Curve Diffie-Hellman Key Exchanges

An offline OpenPGP user might want to forward part or all of their email...
research
03/21/2018

A Secure Proxy-based Access Control Scheme for Implantable Medical Devices

With the rapid development of health equipments, increasingly more patie...
research
06/26/2023

Balanced Filtering via Non-Disclosive Proxies

We study the problem of non-disclosively collecting a sample of data tha...

Please sign up or login with your details

Forgot password? Click here to reset