X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency

Shushang Wen; Bingyu Li; Ziqiang Ma; Qianhong Wu; Nenghai Yu

doi:10.1007/978-3-031-17081-2_8

X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency

Shushang Wen
, Bingyu Li^*
, Ziqiang Ma
, Qianhong Wu
, Nenghai Yu

^*Corresponding author for this work

School of Cyber Science and Technology

University of Science and Technology of China
Ningxia University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.

Original language	English
Title of host publication	Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings
Editors	Jingqiang Lin, Qiang Tang
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	123-138
Number of pages	16
ISBN (Print)	9783031170805
DOIs	https://doi.org/10.1007/978-3-031-17081-2_8
State	Published - 2022
Event	2nd EAI International Conference on Applied Cryptography in Computer and Communications, AC3 2022 - Virtual, Online Duration: 14 May 2022 → 15 May 2022

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	448 LNICST
ISSN (Print)	1867-8211
ISSN (Electronic)	1867-822X

Conference

Conference	2nd EAI International Conference on Applied Cryptography in Computer and Communications, AC3 2022
City	Virtual, Online
Period	14/05/22 → 15/05/22

Keywords

Certificate transparency
Cross certification
Cross-signing
Public key infrastructure
Trust management

Access to Document

10.1007/978-3-031-17081-2_8

Cite this

Wen, S., Li, B., Ma, Z., Wu, Q., & Yu, N. (2022). X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency. In J. Lin, & Q. Tang (Eds.), Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings (pp. 123-138). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 448 LNICST). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-17081-2_8

Wen, Shushang ; Li, Bingyu ; Ma, Ziqiang et al. / X-FTPC : A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency. Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings. editor / Jingqiang Lin ; Qiang Tang. Springer Science and Business Media Deutschland GmbH, 2022. pp. 123-138 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{cd914524821d4e8d87def1d1a52aa345,

title = "X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency",

abstract = "Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.",

keywords = "Certificate transparency, Cross certification, Cross-signing, Public key infrastructure, Trust management",

author = "Shushang Wen and Bingyu Li and Ziqiang Ma and Qianhong Wu and Nenghai Yu",

note = "Publisher Copyright: {\textcopyright} 2022, ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.; 2nd EAI International Conference on Applied Cryptography in Computer and Communications, AC3 2022 ; Conference date: 14-05-2022 Through 15-05-2022",

year = "2022",

doi = "10.1007/978-3-031-17081-2\_8",

language = "英语",

isbn = "9783031170805",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "123--138",

editor = "Jingqiang Lin and Qiang Tang",

booktitle = "Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings",

address = "德国",

}

Wen, S, Li, B, Ma, Z, Wu, Q & Yu, N 2022, X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency. in J Lin & Q Tang (eds), Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 448 LNICST, Springer Science and Business Media Deutschland GmbH, pp. 123-138, 2nd EAI International Conference on Applied Cryptography in Computer and Communications, AC3 2022, Virtual, Online, 14/05/22. https://doi.org/10.1007/978-3-031-17081-2_8

X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency. / Wen, Shushang; Li, Bingyu; Ma, Ziqiang et al.
Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings. ed. / Jingqiang Lin; Qiang Tang. Springer Science and Business Media Deutschland GmbH, 2022. p. 123-138 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 448 LNICST).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - X-FTPC

T2 - 2nd EAI International Conference on Applied Cryptography in Computer and Communications, AC3 2022

AU - Wen, Shushang

AU - Li, Bingyu

AU - Ma, Ziqiang

AU - Wu, Qianhong

AU - Yu, Nenghai

PY - 2022

Y1 - 2022

N2 - Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.

AB - Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.

KW - Certificate transparency

KW - Cross certification

KW - Cross-signing

KW - Public key infrastructure

KW - Trust management

UR - https://www.scopus.com/pages/publications/85141755699

U2 - 10.1007/978-3-031-17081-2_8

DO - 10.1007/978-3-031-17081-2_8

M3 - 会议稿件

AN - SCOPUS:85141755699

SN - 9783031170805

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 123

EP - 138

BT - Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings

A2 - Lin, Jingqiang

A2 - Tang, Qiang

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 14 May 2022 through 15 May 2022

ER -

Wen S, Li B, Ma Z, Wu Q, Yu N. X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency. In Lin J, Tang Q, editors, Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 123-138. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-031-17081-2_8