Director of Research (if dissertation) or Advisor (if thesis)
Bailey, Michael D
Department of Study
Electrical & Computer Eng
Discipline
Electrical & Computer Engr
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
M.S.
Degree Level
Thesis
Keyword(s)
Certificate
Misissuance
Abstract
Certificate Authorities (CAs) are responsible for delegating trust in the TLS Public Key Infrastructure (PKI). Unfortunately, there is a long history of CAs abusing this responsibility, either due to negligence or in some cases, falling victim to attacks. As a result, the PKI community has established standards that define the correctness of certificates and how a well managed CA should operate. In this work, we evaluate a systematic approach to identifying whether certificates issued by CAs are compliant with community standards. To this end, we present ZLint, a system that determines whether a certificate is not conformant to standards, i.e., misissued. We find that while misissuance has decreased over time, there is still a long tail of non-conformant CAs in the ecosystem. Further, our results show that certificate misissuance serves as a reasonable indicator for mismanagement and untrustworthiness, suggesting that CAs that misissue more frequently pose a greater threat to security of the PKI. Community efforts thus far to curb these threats have been moderately successful, but the lack of a systematic approach to identifying these problems lets some classes of problems slip through the cracks. We argue that an automated and systematic approach to measuring misissuance in the ecosystem is a necessary first step in solving the problems that lie ahead.
Use this login method if you
don't
have an
@illinois.edu
email address.
(Oops, I do have one)
IDEALS migrated to a new platform on June 23, 2022. If you created
your account prior to this date, you will have to reset your password
using the forgot-password link below.
