The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures

09/18/2020
by   Jens Hiller, et al.
0

Public Key Infrastructures (PKIs) with their trusted Certificate Authorities (CAs) provide the trust backbone for the Internet: CAs sign certificates which prove the identity of servers, applications, or users. To be trusted by operating systems and browsers, a CA has to undergo lengthy and costly validation processes. Alternatively, trusted CAs can cross-sign other CAs to extend their trust to them. In this paper, we systematically analyze the present and past state of cross-signing in the Web PKI. Our dataset (derived from passive TLS monitors and public CT logs) encompasses more than 7 years and 225 million certificates with 9.3 billion trust paths. We show benefits and risks of cross-signing. We discuss the difficulty of revoking trusted CA certificates where, worrisome, cross-signing can result in valid trust paths to remain after revocation; a problem for non-browser software that often blindly trusts all CA certificates and ignores revocations. However, cross-signing also enables fast bootstrapping of new CAs, e.g., Let's Encrypt, and achieves a non-disruptive user experience by providing backward compatibility. In this paper, we propose new rules and guidance for cross-signing to preserve its positive potential while mitigating its risks.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
01/22/2021

The Sanction of Authority: Promoting Public Trust in AI

Trusted AI literature to date has focused on the trust needs of users wh...
research
01/13/2020

Characterizing the Root Landscape of Certificate Transparency Logs

Internet security and privacy stand on the trustworthiness of public cer...
research
12/01/2021

Trusted And Confidential Program Analysis

We develop the concept of Trusted and Confidential Program Analysis (TCP...
research
08/03/2023

VCTP: A Verifiable Credential-based Trust Propagation Protocol for Personal Issuers in Self-Sovereign Identity Platforms

Self Sovereign Identity (SSI) is an emerging identity system that facili...
research
11/30/2022

Risks to Zero Trust in a Federated Mission Partner Environment

Recent cybersecurity events have prompted the federal government to begi...
research
11/06/2020

Look Before You Leap: Trusted User Interfaces for the Immersive Web

Part of what makes the web successful is that anyone can publish content...
research
08/19/2021

F-PKI: Enabling Innovation and Trust Flexibility in the HTTPS Public-Key Infrastructure

We present F-PKI, an enhancement to the HTTPS public-key infrastructure ...

Please sign up or login with your details

Forgot password? Click here to reset