An approach for evaluating trust in X.509 certificates

Uahhabi, Zakia El; Bakkali, Hanan El

doi:10.1109/icitst.2016.7856696

Cited by 1 publication

(2 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are approaches to assess certificates by making use of information regarding the issuing CA such as results of a distributed reputation mechanism [20]; propositional logic and probability theory using so-called trustworthiness terms [61]; as well as certificate policies [67]. Kumar et al [40] monitored certificates issued by a wide range of CAs and analyzed their compliance with RFC 5280, the CA/Browser Forum's Baseline Requirements (BRs), and community best practices.…”

Section: Related Workmentioning

confidence: 99%

“…Further research regarding the trustworthiness of CAs would also benefit from the standardization of machine-readable CP/CPS. According to other proposals [67,72], this standardization can make use of XML or JSON. Another proposed idea, the TB, has already made the transition from academic research into one of the most important standards in the field of information technology, namely X.509 [39].…”

Section: Future Workmentioning

confidence: 99%

See 1 more Smart Citation

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

Heinl

Giehl

Wiedermann

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

Public key infrastructures (PKIs) build the foundation for secure communication of a vast majority of cloud services. In the recent past, there has been a series of security incidents leading to increasing concern regarding the trust model currently employed by PKIs. One of the key criticisms is the architecture's implicit assumption that certificate authorities (CAs) are trustworthy a priori. This work proposes a holistic metric to compensate this assumption by a differentiating assessment of a CA's individual trustworthiness based on objective criteria. The metric utilizes a wide range of technical and non-technical factors derived from existing policies, technical guidelines, and research. It consists of self-contained submetrics allowing the simple extension of the existing set of criteria. The focus is thereby on aspects which can be assessed by employing practically applicable methods of independent data collection. The metric is meant to help organizations, individuals, and service providers deciding which CAs to trust or distrust. For this, the modularized submetrics are clustered into coherent submetric groups covering a CA's different properties and responsibilities. By applying individually chosen weightings to these submetric groups, the metric's outcomes can be adapted to tailored protection requirements according to an exemplifying attacker model.

show abstract