TY - GEN
T1 - X-FTPC
T2 - 2nd EAI International Conference on Applied Cryptography in Computer and Communications, AC3 2022
AU - Wen, Shushang
AU - Li, Bingyu
AU - Ma, Ziqiang
AU - Wu, Qianhong
AU - Yu, Nenghai
N1 - Publisher Copyright:
© 2022, ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.
PY - 2022
Y1 - 2022
N2 - Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.
AB - Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g., certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we propose X-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log. X-FTPC introduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.
KW - Certificate transparency
KW - Cross certification
KW - Cross-signing
KW - Public key infrastructure
KW - Trust management
UR - https://www.scopus.com/pages/publications/85141755699
U2 - 10.1007/978-3-031-17081-2_8
DO - 10.1007/978-3-031-17081-2_8
M3 - 会议稿件
AN - SCOPUS:85141755699
SN - 9783031170805
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 123
EP - 138
BT - Applied Cryptography in Computer and Communications - 2nd EAI International Conference, AC3 2022, Proceedings
A2 - Lin, Jingqiang
A2 - Tang, Qiang
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 14 May 2022 through 15 May 2022
ER -