The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - May-June (2013 vol.17)
pp: 18-25
ABSTRACT
For more than a decade, Internet users have relied on digital certificates issued by certificate authorities to encrypt and authenticate their most valuable communications. Computer security experts have lambasted weaknesses in the system since its inception. Recent exploits have brought several problems back into stark focus. The authors describe some proposed technology-based improvements, as well as some legal, economic, and organizational shortcomings of the trust model. They also propose first steps toward fixes and next steps for study.
INDEX TERMS
Blogs, Internet, Privacy, Computational modeling, Cryptography, Authentication, Legal factors, Law, Public key cryptography, Computer security, Access control, public-key cryptosystems, public policy, legal implications
CITATION
S. B. Roosa, S. Schultze, "Trust Darknet: Control and Compromise in the Internet's Certificate Authority Model", IEEE Internet Computing, vol.17, no. 3, pp. 18-25, May-June 2013, doi:10.1109/MIC.2013.27
REFERENCES
1. D. Cooper et al., Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF RFC 5280, May 2008; www.rfc-editor.org/rfcrfc5280.txt.
2. P. Eckersley and J. Burns, "An Observatory for the SSLiverse," SSL Observatory, Electronic Frontier Foundation, 18 July 2010; www.eff.org/filesDefconSSLiverse.pdf.
3. M. Marlinspike, "SSL and the Future of Authenticity: Moving beyond Certificate Authorities," Proc. BlackHat USA Conf., UBM Tech, 2011; www.securitytube.net/video2203.
4. S. Bellovin, "SSL Failings," Workshop on the Future of User Authentication and Authorization on the Web, featured presentation, 2011.
5. "Entrust Limited: Certification Practice Statement, v.2.6," Entrust Certificate Services, 28 Feb. 2011; www.entrust.net/CPS/pdfssl-cps-english-28-02-11-v2-6.pdf.
6. "Digicert Inc.: Certification Practice Statement, v. 4.04," Digicert, 10 May 2012; www.digicert.com/docs/cpsDigiCert_CPS_v404-may-10.pdf.
7. "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates, v. 1.0," CA/Browser Forum, 22 Nov. 2011; www.cabforum.org Baseline_Requirements_V1.pdf.
8. "WebTrust Program for Certification Authorities, v. 1.0," American Inst. of Certified Public Accountants and Canadian Institute of Chartered Accountants, 25 Aug. 2000; www.webtrust.org/homepage-documentsitem27839.aspx.
9. "Trust Service Principles and Criteria for Certification Authorities, v. 2.0," Canadian Inst. of Chartered Accountants, Mar. 2011; www.webtrust.org/homepage-documentsitem54279.pdf.
10. S. Chokhani et al., Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, IETF RFC 3647, Nov. 2003; www.rfc-editor.org/rfcrfc3647.txt.
11. P. Turner, W. Polk, and E. Barker, "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance," ITL Bulletin, Nat'l Inst. of Standards and Technology (NIST), July 2012; http://csrc.nist.gov/publications/nistbul july-2012_itl-bulletin.pdf.
12. "Clarifying the Trustwave CA Policy Update," Trustwave Spider Labs' blog, 4 Feb. 2012; http://blog.spiderlabs.com/2012/02clarifying-the-trustwave-ca-policy-update.html.
13. C. Soghoian and S. Stamm, "Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL," Financial Cryptography and Data Security, LNCS 7035, Springer, 2012, pp. 250–259.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool