A Complete Study of P.K.I. (PKI’s Known Incidents)

45 Pages Posted: 25 Jul 2019 Last revised: 26 Sep 2019

See all articles by Nicolas Serrano

Nicolas Serrano

Indiana University - Bloomington, School of Informatics, Computing & Engineering

Hilda Hadan

Indiana University Bloomington - School of Informatics, Computing & Engineering

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing

Date Written: July 23, 2019

Abstract

In this work, we report on a comprehensive analysis of PKI resulting from Certificate Authorities’ (CAs) behavior using over 1300 instances. We found several cases where CAs designed business models that favored the issuance of digital certificates over the guidelines of the CA Forum, root management programs, and other PKI requirements. Examining PKI from the perspective of business practices, we identify a taxonomy of failures and identify systemic vulnerabilities in the governance and practices in PKI. Notorious cases include the “backdating” of digital certificates, the issuance of these for MITM attempts, the lack of verification of a requester’s identity, and the unscrupulous issuance of rogue certificates. We performed a detailed study of 379 of these 1300 incidents. Using this sample, we developed a taxonomy of the different types of incidents and their causes. For each incident, we determined if the incident was disclosed by the problematic CA. We also noted the Root CA and the year of the incident. We identify the failures in terms of business practices, geography, and outcomes from CAs. We analyzed the role of Root Program Owners (RPOs) and differentiated their policies. We identified serial and chronic offenders in the PKI trusted root programs. Some of these were distrusted by RPOs, while others remain being trusted despite failures. We also identified cases where the concentration of power of RPOs was arguably a contributing factor in the incident. We identify these cases where there is a risk of concentration of power and the resulting conflict of interests. Our research is the first comprehensive academic study addressing all verified reported incidents. We approach this not from a machine learning or statistical perspective but, rather, we identify each reported public incident with a focus on identifying patterns of individual lapses. Here we also have a specific focus on the role of CAs and RPOs. Building on this study, we identify the issues in incentive structures that are contributors to the problems.

Keywords: PKI, Trust, Digital Certificate, Certificate Authority, Rogue Certificate, PKI Governance, IoT

JEL Classification: L86

Suggested Citation

Serrano, Nicolas and Hadan, Hilda and Camp, L. Jean, A Complete Study of P.K.I. (PKI’s Known Incidents) (July 23, 2019). Available at SSRN: https://ssrn.com/abstract=3425554 or http://dx.doi.org/10.2139/ssrn.3425554

Nicolas Serrano (Contact Author)

Indiana University - Bloomington, School of Informatics, Computing & Engineering ( email )

Bloomington, IN
United States

Hilda Hadan

Indiana University Bloomington - School of Informatics, Computing & Engineering ( email )

901 E 10th St
Bloomington, IN 47405
United States

HOME PAGE: http://www.usablesecurity.net/people/profile.php?name=Hilda%20Hadan

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing ( email )

901 E 10th St
Bloomington, IN 47401
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
791
Abstract Views
3,519
rank
31,030
PlumX Metrics