Share on Facebook Tweet on Twitter Share on LinkedIn Share by email

In this work, we explore the properties of the global PKI as it exists in practice. We then leverage this information to construct flexible mechanisms that allow observers to fashion individualized policies to determine certificate trust.

In our NDSS'14 paper, we describe a clustering methodology for determining the certificate issuance template of a given certificate (which is not generally available in a digital form).  You can see a graphical representation of the clustering output here.  In this UI, the size of graph nodes indicates the number of certificates in the corresponding cluster or tree of clusters.   If you click on a leaf node, you will see the derived issuance template in the left hand pane.  Leaf nodes are named with numbers corresponding to the tightness of the clusters, smaller means tighter.  Drop-down menus allow users to color the graph according to various properties, such as key lifetime.  You can also filter results based on specific violations of the CA/B forum guidelines.