Skip to main content

Public-Key Certificate Management and Use Cases

  • 1095 Accesses

Part of the Information Security and Cryptography book series (ISC)

Abstract

This chapter explains certificate management and public-key infrastructure (PKI), what they provide, technical mechanisms and architectures, and challenges. Two major certificate use cases are also considered here as examples: TLS as used in HTTPS for secure browser-server communications, and end-to-end encrypted email. Additional applications include SSH and IPsec (Chap. 10), DNSSEC (Chap. 11), and trusted computing.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83411-1_8
  • Chapter length: 32 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83411-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. C. Adams, S. Farrell, T. Kause, and T. Mononen. RFC 4210: Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP), Sept. 2005. Standards Track; obsoletes RFC 2510; updated by RFC 6712.

    Google Scholar 

  2. C. Adams and S. Lloyd. Understanding Public-Key Infrastructure (2nd edition). Addison-Wesley, 2002.

    Google Scholar 

  3. A. Arnbak, H. Asghari, M. van Eeten, and N. V. Eijk. Security collapse in the HTTPS market. Comm. ACM, 57(10):47-55, 2014.

    Google Scholar 

  4. R. Barnes, j. Hoffman-Andrews, D. McCarney, and j. Kasten. RFC 8555: Automatic Certificate Management Environment (ACME), Mar. 2019. Proposed Standard.

    Google Scholar 

  5. CA/Browser Forum. Baseline requirements for the issuance and management of publicly-trusted certificates. Version 1.5.6, 5 February 2018. https://cabforum.org.

  6. CA/Browser Forum. Guidelines for the issuance and management of Extended Validation certificates. Version 1.6.8, 21 December 2017 (effective 9 March 2018). https://cabforum.org.

  7. J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. RFC 4880: OpenPGP Message Format, Nov. 2007. Proposed Standard; obsoletes RFC 1991, RFC 2440.

    Google Scholar 

  8. F. Cangialosi, T. Chung, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. Measurement and analysis of private key sharing in the HTTPS ecosystem. In ACM Comp. & Comm. Security (CCS), pages 628-640, 2016.

    Google Scholar 

  9. J. Clark and P. C. van Oorschot. SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symp. Security and Privacy, pages 511-525, 2013.

    Google Scholar 

  10. D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. RFC 5280: Internet X.509 Public Key infrastructure Certificate and Certificate Revocation List (CRL) Profile, May 2008. Proposed Standard; obsoletes RFC 3280, 4325, 4630; updated by RFC 6818 (Jan 2013). RFC 6211 explains why the signature algorithm appears twice in X.509 certificates.

    Google Scholar 

  11. L. F. Cranor and S. Garfinkel, editors. Security and Usability: Designing Secure Systems That People Can Use. O'Reilly Media, 2005.

    Google Scholar 

  12. T. Dierks and E. Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, Aug. 2008. Proposed Standard; obsoletes RFC 3268, 4346, 4366.

    Google Scholar 

  13. B. Dowling, F. Gunther, U. Herath, and D. Stebila. Secure logging schemes and Certificate Transparency. In Eur Symp. Res. in Comp. Security (ESORICS), 2016.

    Google Scholar 

  14. Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In Internet Measurements Conf. (IMC), pages 291-304, 2013.

    Google Scholar 

  15. Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. Halderman. The matter of Heartbleed. In Internet Measurements Conf. (IMC), 2014.

    Google Scholar 

  16. S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, and B. Freisleben. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In ACM Comp. & Comm. Security (CCS), pages 50-61, 2012.

    Google Scholar 

  17. S. Garfinkel. Using S/MIME. Pages 563-593 in [25], 2006.

    Google Scholar 

  18. S. Garfinkel. PGP—Pretty Good Privacy. O'Reilly Media, 1995.

    Google Scholar 

  19. S. L. Garfinkel and R. C. Miller. Johnny 2: A user test of key continuity management with S/MIME and Outlook Express. In ACM Symp. Usable Privacy & Security (SOUPS), pages 13-24, 2005.

    Google Scholar 

  20. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating SSL certificates in non-browser software. In ACM Comp. & Comm. Security (CCS), pages 38-49, 2012.

    Google Scholar 

  21. P. Hoffman. RFC 2634: Enhanced Security Services for S/MIME, June 1999. Proposed Standard; updated by RFC 5035 (Aug 2007).

    Google Scholar 

  22. P. Hoffman and J. Schlyter. RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA, Aug. 2012. Proposed Standard; updated by RFC 7218, 7671.

    Google Scholar 

  23. R. Housley. RFC 5652: Cryptographic Message Syntax (CMS), Sept. 2009. Internet Standard; obsoletes RFC 3852, which itself obsoletes RFC 3369.

    Google Scholar 

  24. R. Housley and T. Polk. Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructures. John Wiley, 2001.

    Google Scholar 

  25. M. Jakobsson and S. Myers, editors. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. John Wiley, 2006.

    Google Scholar 

  26. M. Just and P. C. van Oorschot. Addressing the problem of undetected signature key compromise. In Netw. Dist. Sys. Security (NDSS), 1999.

    Google Scholar 

  27. C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communications in a Public World (2nd edition). Prentice Hall, 2003.

    Google Scholar 

  28. S. T. Kent. Internet Privacy Enhanced Mail. Comm. ACM, 36(8):48-60, 1993.

    Google Scholar 

  29. M. Kranch and J. Bonneau. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In Netw. Dist. Sys. Security (NDSS), 2015.

    Google Scholar 

  30. J. Larisch, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. CRLite: A scalable system for pushing all TLS revocations to all browsers. In IEEE Symp. Security and Privacy, pages 539-556, 2017.

    Google Scholar 

  31. B. Laurie. Certificate transparency. Comm. ACM, 57(10):40-46, 2014. See also RFC 6962.

    Google Scholar 

  32. J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, and J. Wu. When HTTPS meets CDN: A case of authentication in delegated service. In IEEE Symp. Security and Privacy, pages 67-82, 2014.

    Google Scholar 

  33. Y. Liu, W. Tome, L. Zhang, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, A. Schulman, and C. Wilson. An end-to-end measurement of certificate revocation in the web's PKI. In Internet Measurements Conf. (IMC), pages 183-196, 2015.

    Google Scholar 

  34. D. McCarney. A tour of the Automatic Certificate Management Environment (ACME). Internet Protocol Journal, 20(2):2-14, 2017. See also RFC 8555 [4], and J. Aas et al. (ACM CCS, 2019).

    Google Scholar 

  35. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Openly available, http://cacr.uwaterloo.ca/hac/.

  36. M. Naor and K. Nissim. Certificate revocation and certificate update. IEEE J. Selected Areas in Commns, 18(4):561-570, 2000.

    Google Scholar 

  37. M. Nystrom and B. Kaliski. RFC 2986: PKCS #10—Certification Request Syntax Specification ver1.7, Nov. 2000. Informational; obsoletes RFC 2314, updated by RFC 5967.

    Google Scholar 

  38. A. Oram and J. Viega, editors. Beautiful Security. O'Reilly Media, 2009.

    Google Scholar 

  39. H. Orman. Encrypted Email: The History and Technology of Message Privacy. Springer Briefs in Computer Science, 2015.

    Google Scholar 

  40. K. G. Paterson and T. van der Merwe. Reactive and proactive standardisation of TLS. In Security Standardisation Research (SSR), pages 160-186, 2016. Springer LNCS 10074.

    Google Scholar 

  41. V. Pham and T. Aura. Security analysis of leap-of-faith protocols. In SecureComm 2011, pages 337355, 2011.

    Google Scholar 

  42. E. Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, 2001.

    Google Scholar 

  43. E. Rescorla. RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3, Aug. 2018. IETF Proposed Standard; obsoletes RFC 5077, 5246 (TLS 1.2), 6961.

    Google Scholar 

  44. S. Santesson, M. Meyers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol—OCSP, June 2013. Standards Track; obsoletes RFC 2560, 6277.

    Google Scholar 

  45. J. Schaad, B. Ramsdell, and S. Turner. RFC 8550: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Certificate Handling, Apr. 2019. Proposed Standard; obsoletes RFC 5750.

    Google Scholar 

  46. J. Schaad, B. Ramsdell, and S. Turner. RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification, Apr. 2019. Proposed Standard; obsoletes RFC 5751.

    Google Scholar 

  47. C. Soghoian and S. Stamm. Certified lies: Detecting and defeating government interception attacks against SSL (short paper). In Financial Crypto, pages 250-259, 2011.

    Google Scholar 

  48. E. Stark, R. Sleevi, R. Muminovic, D. O'Brien, E. Messeri, A. P. Felt, B. McMillion, and P. Tabriz. Does Certificate Transparency break the web? Measuring adoption and error rate. In IEEE Symp. Security and Privacy, 2019.

    Google Scholar 

  49. J. Tan, L. Bauer, J. Bonneau, L. F. Cranor, J. Thomas, and B. Ur. Can unicorns help users compare crypto key fingerprints? In ACM Conf. on Human Factors in Computing Systems (CHI), pages 37873798, 2017.

    Google Scholar 

  50. S. Vaudenay. A Classical Introduction to Cryptography: Applications for Communications Security. Springer Science+Business Media, 2006.

    Google Scholar 

  51. N. Vratonjic, J. Freudiger, V. Bindschaedler, and J. Hubaux. The inconvenient truth about web certificates. In Workshop on Economics of Info. Security (WEIS), 2011.

    Google Scholar 

  52. L. Zhang, D. R. Choffnes, D. Levin, T. Dumitras, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In Internet Measurements Conf. (IMC), pages 489-502, 2014.

    Google Scholar 

  53. P. R. Zimmermann. The Official PGP Users Guide. MIT Press, 1995.

    Google Scholar 

  54. P. R. Zimmermann and J. Callos. The evolution of PGP's web of trust. Pages 107-130 in [38], 2009.

    Google Scholar 

  55. M. E. Zurko. IBM Lotus Notes/Domino: Embedding security in collaborative applications. Pages 607-622 in [11], 2005.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

van Oorschot, P.C. (2021). Public-Key Certificate Management and Use Cases. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83411-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83410-4

  • Online ISBN: 978-3-030-83411-1

  • eBook Packages: Computer ScienceComputer Science (R0)