Pki Incident Reporting Trends: What Can We Learn from Community Reporting?

7 Pages Posted: 5 Aug 2024

See all articles by Jacob Abbott

Jacob Abbott

Indiana University Bloomington

Skyler Johnson

Indiana University Bloomington

Katie Ferro

Indiana University Bloomington

Phenzi Blasio

Indiana University Bloomington

Eric Swiler

Indiana University Bloomington

L. Jean Camp

Indiana University Bloomington

Date Written: August 2, 2024

Abstract

How do untrustworthy, non-compliant, and otherwise dangerous certificates arise in the Web? What are the causes that underlie the issuance of these certificates? To determine the ground truth, we compiled reports of public key infrastructure (PKI) incidents that have resulted from Certificate Authorities' (CAs) issuance of non-compliant certificates from 2001 to December 2021 from reliable public sources and provide an analysis using qualitative coding of the CAs description of the reported incidents. Our data sources had to be public, reliable, impartial, and trustworthy. These requirements eliminated incidents published in media without proper sources, for example Medium blog posts. The backbone of our incident collection was Mozilla’s Bugzilla where we collected 597 incident reports. Our results combine both qualitative and quantitative analyses. We document the trends in incidents including causes and types. We identify the parties that have erred, the ways in which they have failed, the patterns of behavior among and between CAs. We enumerate the common recommendations where we concur with the literature, and make some of our own. We argue that there is a need for systematic improvement in PKI now, and this need will only increase as the interaction space for warnings and indicators decreases with IoT and embedded systems. We also discuss potential avenues for future work to prevent future incidents and detect problematic certificates before issuance.

Keywords: PKI, security, privacy, certificates, policy

Suggested Citation

Abbott, Jacob and Johnson, Skyler and Ferro, Katie and Blasio, Phenzi and Swiler, Eric and Camp, L. Jean, Pki Incident Reporting Trends: What Can We Learn from Community Reporting? (August 2, 2024). Proceedings of the TPRC2024 The Research Conference on Communications, Information and Internet Policy, Available at SSRN: https://ssrn.com/abstract=4913651

Jacob Abbott (Contact Author)

Indiana University Bloomington ( email )

211 S Indiana Avenue
Bloomington, IN 47405
United States

Skyler Johnson

Indiana University Bloomington ( email )

211 S Indiana Avenue
Bloomington, IN 47405
United States

Katie Ferro

Indiana University Bloomington ( email )

211 S Indiana Avenue
Bloomington, IN 47405
United States

Phenzi Blasio

Indiana University Bloomington ( email )

211 S Indiana Avenue
Bloomington, IN 47405
United States

Eric Swiler

Indiana University Bloomington ( email )

211 S Indiana Avenue
Bloomington, IN 47405
United States

L. Jean Camp

Indiana University Bloomington ( email )

211 S Indiana Avenue
Bloomington, IN 47405
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
27
Abstract Views
142
PlumX Metrics