In this work, we explore the properties of the global PKI as it exists in practice. We then leverage this information to construct flexible mechanisms that allow observers to fashion individualized policies to determine certificate trust.
In our NDSS'14 paper, we describe a clustering methodology for determining the certificate issuance template of a given certificate (which is not generally available in a digital form). You can see a graphical representation of the clustering output here. In this UI, the size of graph nodes indicates the number of certificates in the corresponding cluster or tree of clusters. If you click on a leaf node, you will see the derived issuance template in the left hand pane. Leaf nodes are named with numbers corresponding to the tightness of the clusters, smaller means tighter. Drop-down menus allow users to color the graph according to various properties, such as key lifetime. You can also filter results based on specific violations of the CA/B forum guidelines.
- Antoine Delignat-Lavaud, Martin Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie, Web PKI: Closing the Gap between Guidelines and Practices, in Proceedings of NDSS'14 (to appear), Internet Society, February 2014
- Martín Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie, Global Authentication in an Untrustworthy World, in 14th Workshop on Hot Topics in Operating Systems (HotOS XIV), USENIX Association, May 2013