PDF iconDownload This Paper
Open PDF in Browser
Add Paper to My Library
Permalink
Using these links will ensure access to this page indefinitely
Copy URL
Copy DOI

A Complete Study of P.K.I. (PKI’s Known Incidents)

TPRC47: The 47th Research Conference on Communication, Information and Internet Policy 2019

45 Pages Posted: 25 Jul 2019 Last revised: 26 Sep 2019

See all articles by Nicolas Serrano

Nicolas Serrano

Indiana University - Bloomington, School of Informatics, Computing & Engineering

Hilda Hadan

University of Waterloo - Systems Design Engineering

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing

Date Written: July 23, 2019

Abstract

In this work, we report on a comprehensive analysis of PKI resulting from Certificate Authorities’ (CAs) behavior using over 1300 instances. We found several cases where CAs designed business models that favored the issuance of digital certificates over the guidelines of the CA Forum, root management programs, and other PKI requirements. Examining PKI from the perspective of business practices, we identify a taxonomy of failures and identify systemic vulnerabilities in the governance and practices in PKI. Notorious cases include the “backdating” of digital certificates, the issuance of these for MITM attempts, the lack of verification of a requester’s identity, and the unscrupulous issuance of rogue certificates. We performed a detailed study of 379 of these 1300 incidents. Using this sample, we developed a taxonomy of the different types of incidents and their causes. For each incident, we determined if the incident was disclosed by the problematic CA. We also noted the Root CA and the year of the incident. We identify the failures in terms of business practices, geography, and outcomes from CAs. We analyzed the role of Root Program Owners (RPOs) and differentiated their policies. We identified serial and chronic offenders in the PKI trusted root programs. Some of these were distrusted by RPOs, while others remain being trusted despite failures. We also identified cases where the concentration of power of RPOs was arguably a contributing factor in the incident. We identify these cases where there is a risk of concentration of power and the resulting conflict of interests. Our research is the first comprehensive academic study addressing all verified reported incidents. We approach this not from a machine learning or statistical perspective but, rather, we identify each reported public incident with a focus on identifying patterns of individual lapses. Here we also have a specific focus on the role of CAs and RPOs. Building on this study, we identify the issues in incentive structures that are contributors to the problems.

Keywords: PKI, Trust, Digital Certificate, Certificate Authority, Rogue Certificate, PKI Governance, IoT

JEL Classification: L86

Suggested Citation

Serrano, Nicolas and Hadan, Hilda and Camp, L. Jean, A Complete Study of P.K.I. (PKI’s Known Incidents) (July 23, 2019). TPRC47: The 47th Research Conference on Communication, Information and Internet Policy 2019, Available at SSRN: https://ssrn.com/abstract=3425554 or http://dx.doi.org/10.2139/ssrn.3425554

Nicolas Serrano (Contact Author)

Indiana University - Bloomington, School of Informatics, Computing & Engineering ( email )

Bloomington, IN
United States

Hilda Hadan

University of Waterloo - Systems Design Engineering ( email )

Waterloo, Ontario
Canada

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing ( email )

901 E 10th St
Bloomington, IN 47401
United States

PDF iconDownload This Paper
Open PDF in Browser

Do you have a job opening that you would like to promote on SSRN?

Place Job Opening

Paper statistics

Downloads
1,800
Abstract Views
11,262
Rank
20,357
3 Citations
54 References
PlumX Metrics

Related eJournals