Public certificate management revisited : A summary of policy changes over a two-year period (2021-2023) / En sammanfattning av Certifikatutfärdares policyer

Bergström, Simon, Kozak, Lowe

January 2023

The purpose of this study was to investigate how the Digital Certificate managementactors of the Public Key Infrastructure of the Internet have changed over the past two years(2021-2023). A set of one million registered top domains were queried with the intention ofmapping out their certificates. This thesis presents a frequency analysis of issuing Certifi-cate Authorities of the top one million domains and presents a concise table showing whichthe most popular Certificate Authorities are, as well as how the popularity has shifted overthe past two years. This thesis also presents tables of how well a select few major CertificateAuthorities follow the stipulated Baseline Requirements issued for the purpose of settingguidelines in handling certificates. Our findings suggest that the major Certificate Author-ities have highly increased their compliance with the requirements over the time period.The Baseline Requirements have stipulated a few new guidelines, none of which relate tothe fields of issuance, revocation and expiration. All the major Certificate Authorities haveadded more support than they have retracted and so it is clear to see that they respect theBaseline Requirements and work toward implementing them.

Certificate Authority

Baseline Requirements

CA

BR

Computer and Information Sciences

Data- och informationsvetenskap

Public certificate management : An analysis of policies and practices used by CAs / Offentlig certifikathantering : En analys av policys och praxis som används av CAs

Bergström, Anna, Berghäll, Emily

January 2021

Certificate Authorities (CAs) carry a huge responsibility in today's internet security landscape as they issue certificates that establish secure end-to-end connections. This thesis conducts a policy review and survey of CAs' Certificate Policies and Certificate Practice Statements to find similarities and differences that could lead to possible vulnerabilities. Based on this, the thesis then presents a taxonomy-based analysis as well as comparisons of the top CAs to the Baseline Requirements. The main areas of the policies that were focused on are the issuance, revocation and expiration practices of the top 30 CAs as determined by the use of Tranco's list. We also determine the top CA groups, meaning the CAs whose policies are being used by the most other CAs as well as including a top 100 CAs list. The study suggests that the most popular CAs hold such a position because of two main reasons: they are easy to acquire and/or because they are connected to several other CAs.  The results suggest that some of the biggest vulnerabilities in the policies are what the CAs do not mention in any section as it puts the CA at risk for vulnerabilities. The results also suggest that the most dangerous attacks are social engineering attacks, as some of the stipulations for issuance and revocations make it possible to pretend to be the entity of subscribes to the certificate rather than a malicious one.

Certificate

Issuance

Revocation

Expiration

Certificate Authority

Certificate Policy

Certificate Practice Statement

Certificate Management

Policy review

Social engineering

CA/Browser forum

Baseline Requirements

Computer Sciences

Datavetenskap (datalogi)