Abstract
Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.
This work was supported in part by the National Natural Science Foundation of China under Grant 62002011, Grant 61772518, Grant 61932011, Grant 61972019, and Grant U21A20467; in part by the Youth Top Talent Support Program of Beihang University under Grant YWF-22-L-1272; in part by the China Postdoctoral Science Foundation under Grant 2021T140042 and Grant 2021M690304; in part by the Key RD Plan of Shandong Province, China under Grant 2020CXGC010115; and in part by the Beijing Natural Science Foundation through project M21031.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this paper, we do not restrict the specific format and content of the verification criteria. Issuing CA can define it according to their own application scenarios.
References
Amann, J., Gasser, O., et al.: Mission accomplished? HTTPS security after DigiNotar. In: 17th IMC (2017)
Casola, V., Mazzeo, A., Mazzocca, N., Rak, M.: An innovative policy-based cross certification methodology for public key infrastructures. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 100–117. Springer, Heidelberg (2005). https://doi.org/10.1007/11533733_7
Chung, T., Liu, Y., et al.: Measuring and applying invalid SSL certificates: the silent majority. In: 16th IMC (2016)
Clark, J., van Oorschot, P.: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: 34th IEEE S &P (2013)
Cooper, D., Santesson, S., et al.: IETF RFC 5280 - Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile (2008)
Debnath, J., Chau, S.Y., et al.: On re-engineering the X.509 PKI with executable specification for better implementation guarantees. In: 28th ACM CCS (2021)
Durumeric, Z., Kasten, J., et al.: Analysis of the https certificate ecosystem. In: 13th IMC (2013)
Google Inc.: Certificate transparency (2021). https://www.certificate-transparency.org/
Google Inc.: Known logs (2021). https://www.certificate-transparency.org/known-logs
Hiller, J., Amann, J., et al.: The boon and bane of cross-signing: shedding light on a common practice in public key infrastructures. In: 27th ACM CCS (2020)
Holz, R., Braun, L., et al.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: 11th IMC (2011)
Internet Security Research Group: Chain of Trust (2021). https://letsencrypt.org/certificates/
Johnathan Nightingale: Mozilla Security Blog - DigiNotar Removal Follow Up (2011). https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/
Laurie, B., Langley, A., et al.: IETF RFC 6962 - Certificate transparency (2013)
Leibowitz, H., Ghalwash, H., et al.: CTng: secure certificate and revocation transparency. Cryptology ePrint Archive (2021)
Li, B., Lin, J., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: 26th AMC CCS (2019)
Li, B., Lin, J., et al.: Locally-centralized certificate validation and its application in desktop virtualization systems. IEEE TIFS 16, 1380–1395 (2020)
Li, B., Lin, J., et al.: The invisible side of certificate transparency: exploring the reliability of monitors in the wild. IEEE/ACM ToN 30(2), 749–765 (2021)
Matsumoto, S., Szalachowski, P., Perrig, A.: Deployment challenges in log-based PKI enhancements. In: 8th EuroSec (2015)
Melara, M.S., Blankstein, A., et al.: CONIKS: bringing key transparency to end users. In: 24th USENIX Security Symposium (2015)
Mozilla: Bug 403437 - Request Valicert/Starfield/GoDaddy Root Certificates be enabled for EV. https://bugzilla.mozilla.org/show_bug.cgi?id=403437
Roosa, S.B., Schultze, S.: Trust darknet: control and compromise in the internet’s certificate authority model. IEEE Internet Comput. 17(3), 18–25 (2013)
Ryan, M.D.: Enhanced certificate transparency and end-to-end encrypted mail. In: 21st NDSS (2014)
Singh, A., Sengupta, B., Ruj, S.: Certificate transparency with enhancements and short proofs. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 381–389. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59870-3_22
StackExchange: Are X.509 nameConstraints on certificates supported on OS X? https://security.stackexchange.com/questions/95600/are-x-509-nameconstraints-on-certificates-supported-on-os-x
Stark, E., Sleevi, R., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: 40th IEEE S &P (2019)
Szalachowski, P., Matsumoto, S., et al.: PoliCert: secure and flexible TLS certificate management. In: 21st ACM CCS (2014)
Szalachowski, P., Chuat, L., et al.: PKI safety net (PKISN): addressing the too-big-to-be-revoked problem of the TLS ecosystem. In: 1st IEEE EuroS &P (2016)
Tomescu, A., Bhupatiraju, V., et al.: Transparency logs via append-only authenticated dictionaries. In: 26th ACM CCS (2019)
Turnbull, J.: Cross-certification and PKI policy networking. Entrust, Inc. (2000)
Zhang, Y., Liu, B., et al.: Rusted anchors: a national client-side view of hidden root CAs in the web PKI ecosystem. In: 28th ACM CCS (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Wen, S., Li, B., Ma, Z., Wu, Q., Yu, N. (2022). X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency. In: Lin, J., Tang, Q. (eds) Applied Cryptography in Computer and Communications. AC3 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 448. Springer, Cham. https://doi.org/10.1007/978-3-031-17081-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-17081-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17080-5
Online ISBN: 978-3-031-17081-2
eBook Packages: Computer ScienceComputer Science (R0)