You are viewing a javascript disabled version of the site. Please enable Javascript for this site to function properly.
Go to headerGo to navigationGo to searchGo to contentsGo to footer
In content section. Select this link to jump to navigation

CA trust management for the Web PKI

Article type: Research Article

Authors: Braun, Johannesa; * | Volk, Florianb | Classen, Jiskac | Buchmann, Johannesa | Mühlhäuser, Maxb

Affiliations: [a] Theoretical Computer Science, Cryptography and Computer Algebra, Technische Universität Darmstadt, Darmstadt, Germany. E-mails: [email protected], [email protected] | [b] Telecooperation Lab, Technische Universität Darmstadt and CASED, Darmstadt, Germany. E-mails: [email protected], [email protected] | [c] Secure Mobile Networking Lab, Technische Universität Darmstadt and CASED, Darmstadt, Germany. E-mail: [email protected]

Correspondence: [*] Corresponding author: Johannes Braun, Theoretical Computer Science, Cryptography and Computer Algebra, Technische Universität Darmstadt, Hochschulstraße 10, 64289 Darmstadt, Germany. Tel.: +49 6151 165541; Fax: +49 6151 166036; E-mail: [email protected].

Keywords: Trust view, CA trust management system, Web PKI, levels of trust, attack surface reduction

DOI: 10.3233/JCS-140509

Journal: Journal of Computer Security, vol. 22, no. 6, pp. 913-959, 2014

Published: 16 December 2014
Get PDF open access

Abstract

The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure and creates an enormous attack surface. In this article, we present CA-TMS, a user-centric CA trust management system based on trust views. CA-TMS can be used by relying entities to individually reduce the attack surface. CA-TMS works by restricting the trust placed in CAs of the Web PKI to trusting in exactly those CAs actually required by a relying entity. This restriction is based on locally collected information and does not require the alteration of the existing Web PKI. CA-TMS is complemented by an optional reputation system that allows to utilize the knowledge of other entities while maintaining the minimal set of trusted CAs. Our evaluation of CA-TMS with real world data shows that an attack surface reduction by more than 95% is achievable.

Show more