Abstract
This chapter explains certificate management and public-key infrastructure (PKI), what they provide, technical mechanisms and architectures, and challenges. Two major certificate use cases are also considered here as examples: TLS as used in HTTPS for secure browser-server communications, and end-to-end encrypted email. Additional applications include SSH and IPsec (Chap. 10), DNSSEC (Chap. 11), and trusted computing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
C. Adams, S. Farrell, T. Kause, and T. Mononen. RFC 4210: Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP), Sept. 2005. Standards Track; obsoletes RFC 2510; updated by RFC 6712.
C. Adams and S. Lloyd. Understanding Public-Key Infrastructure (2nd edition). Addison-Wesley, 2002.
A. Arnbak, H. Asghari, M. van Eeten, and N. V. Eijk. Security collapse in the HTTPS market. Comm. ACM, 57(10):47-55, 2014.
R. Barnes, j. Hoffman-Andrews, D. McCarney, and j. Kasten. RFC 8555: Automatic Certificate Management Environment (ACME), Mar. 2019. Proposed Standard.
CA/Browser Forum. Baseline requirements for the issuance and management of publicly-trusted certificates. Version 1.5.6, 5 February 2018. https://cabforum.org.
CA/Browser Forum. Guidelines for the issuance and management of Extended Validation certificates. Version 1.6.8, 21 December 2017 (effective 9 March 2018). https://cabforum.org.
J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. RFC 4880: OpenPGP Message Format, Nov. 2007. Proposed Standard; obsoletes RFC 1991, RFC 2440.
F. Cangialosi, T. Chung, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. Measurement and analysis of private key sharing in the HTTPS ecosystem. In ACM Comp. & Comm. Security (CCS), pages 628-640, 2016.
J. Clark and P. C. van Oorschot. SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symp. Security and Privacy, pages 511-525, 2013.
D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. RFC 5280: Internet X.509 Public Key infrastructure Certificate and Certificate Revocation List (CRL) Profile, May 2008. Proposed Standard; obsoletes RFC 3280, 4325, 4630; updated by RFC 6818 (Jan 2013). RFC 6211 explains why the signature algorithm appears twice in X.509 certificates.
L. F. Cranor and S. Garfinkel, editors. Security and Usability: Designing Secure Systems That People Can Use. O'Reilly Media, 2005.
T. Dierks and E. Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, Aug. 2008. Proposed Standard; obsoletes RFC 3268, 4346, 4366.
B. Dowling, F. Gunther, U. Herath, and D. Stebila. Secure logging schemes and Certificate Transparency. In Eur Symp. Res. in Comp. Security (ESORICS), 2016.
Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In Internet Measurements Conf. (IMC), pages 291-304, 2013.
Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. Halderman. The matter of Heartbleed. In Internet Measurements Conf. (IMC), 2014.
S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, and B. Freisleben. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In ACM Comp. & Comm. Security (CCS), pages 50-61, 2012.
S. Garfinkel. Using S/MIME. Pages 563-593 in [25], 2006.
S. Garfinkel. PGP—Pretty Good Privacy. O'Reilly Media, 1995.
S. L. Garfinkel and R. C. Miller. Johnny 2: A user test of key continuity management with S/MIME and Outlook Express. In ACM Symp. Usable Privacy & Security (SOUPS), pages 13-24, 2005.
M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating SSL certificates in non-browser software. In ACM Comp. & Comm. Security (CCS), pages 38-49, 2012.
P. Hoffman. RFC 2634: Enhanced Security Services for S/MIME, June 1999. Proposed Standard; updated by RFC 5035 (Aug 2007).
P. Hoffman and J. Schlyter. RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA, Aug. 2012. Proposed Standard; updated by RFC 7218, 7671.
R. Housley. RFC 5652: Cryptographic Message Syntax (CMS), Sept. 2009. Internet Standard; obsoletes RFC 3852, which itself obsoletes RFC 3369.
R. Housley and T. Polk. Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructures. John Wiley, 2001.
M. Jakobsson and S. Myers, editors. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. John Wiley, 2006.
M. Just and P. C. van Oorschot. Addressing the problem of undetected signature key compromise. In Netw. Dist. Sys. Security (NDSS), 1999.
C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communications in a Public World (2nd edition). Prentice Hall, 2003.
S. T. Kent. Internet Privacy Enhanced Mail. Comm. ACM, 36(8):48-60, 1993.
M. Kranch and J. Bonneau. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In Netw. Dist. Sys. Security (NDSS), 2015.
J. Larisch, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. CRLite: A scalable system for pushing all TLS revocations to all browsers. In IEEE Symp. Security and Privacy, pages 539-556, 2017.
B. Laurie. Certificate transparency. Comm. ACM, 57(10):40-46, 2014. See also RFC 6962.
J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, and J. Wu. When HTTPS meets CDN: A case of authentication in delegated service. In IEEE Symp. Security and Privacy, pages 67-82, 2014.
Y. Liu, W. Tome, L. Zhang, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, A. Schulman, and C. Wilson. An end-to-end measurement of certificate revocation in the web's PKI. In Internet Measurements Conf. (IMC), pages 183-196, 2015.
D. McCarney. A tour of the Automatic Certificate Management Environment (ACME). Internet Protocol Journal, 20(2):2-14, 2017. See also RFC 8555 [4], and J. Aas et al. (ACM CCS, 2019).
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Openly available, http://cacr.uwaterloo.ca/hac/.
M. Naor and K. Nissim. Certificate revocation and certificate update. IEEE J. Selected Areas in Commns, 18(4):561-570, 2000.
M. Nystrom and B. Kaliski. RFC 2986: PKCS #10—Certification Request Syntax Specification ver1.7, Nov. 2000. Informational; obsoletes RFC 2314, updated by RFC 5967.
A. Oram and J. Viega, editors. Beautiful Security. O'Reilly Media, 2009.
H. Orman. Encrypted Email: The History and Technology of Message Privacy. Springer Briefs in Computer Science, 2015.
K. G. Paterson and T. van der Merwe. Reactive and proactive standardisation of TLS. In Security Standardisation Research (SSR), pages 160-186, 2016. Springer LNCS 10074.
V. Pham and T. Aura. Security analysis of leap-of-faith protocols. In SecureComm 2011, pages 337355, 2011.
E. Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, 2001.
E. Rescorla. RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3, Aug. 2018. IETF Proposed Standard; obsoletes RFC 5077, 5246 (TLS 1.2), 6961.
S. Santesson, M. Meyers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol—OCSP, June 2013. Standards Track; obsoletes RFC 2560, 6277.
J. Schaad, B. Ramsdell, and S. Turner. RFC 8550: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Certificate Handling, Apr. 2019. Proposed Standard; obsoletes RFC 5750.
J. Schaad, B. Ramsdell, and S. Turner. RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification, Apr. 2019. Proposed Standard; obsoletes RFC 5751.
C. Soghoian and S. Stamm. Certified lies: Detecting and defeating government interception attacks against SSL (short paper). In Financial Crypto, pages 250-259, 2011.
E. Stark, R. Sleevi, R. Muminovic, D. O'Brien, E. Messeri, A. P. Felt, B. McMillion, and P. Tabriz. Does Certificate Transparency break the web? Measuring adoption and error rate. In IEEE Symp. Security and Privacy, 2019.
J. Tan, L. Bauer, J. Bonneau, L. F. Cranor, J. Thomas, and B. Ur. Can unicorns help users compare crypto key fingerprints? In ACM Conf. on Human Factors in Computing Systems (CHI), pages 37873798, 2017.
S. Vaudenay. A Classical Introduction to Cryptography: Applications for Communications Security. Springer Science+Business Media, 2006.
N. Vratonjic, J. Freudiger, V. Bindschaedler, and J. Hubaux. The inconvenient truth about web certificates. In Workshop on Economics of Info. Security (WEIS), 2011.
L. Zhang, D. R. Choffnes, D. Levin, T. Dumitras, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In Internet Measurements Conf. (IMC), pages 489-502, 2014.
P. R. Zimmermann. The Official PGP Users Guide. MIT Press, 1995.
P. R. Zimmermann and J. Callos. The evolution of PGP's web of trust. Pages 107-130 in [38], 2009.
M. E. Zurko. IBM Lotus Notes/Domino: Embedding security in collaborative applications. Pages 607-622 in [11], 2005.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
van Oorschot, P.C. (2021). Public-Key Certificate Management and Use Cases. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-83411-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-83410-4
Online ISBN: 978-3-030-83411-1
eBook Packages: Computer ScienceComputer Science (R0)