Public certificate management : An analysis of policies and practices used by CAs / Offentlig certifikathantering : En analys av policys och praxis som används av CAs

Bergström, Anna, Berghäll, Emily

January 2021

Certificate Authorities (CAs) carry a huge responsibility in today's internet security landscape as they issue certificates that establish secure end-to-end connections. This thesis conducts a policy review and survey of CAs' Certificate Policies and Certificate Practice Statements to find similarities and differences that could lead to possible vulnerabilities. Based on this, the thesis then presents a taxonomy-based analysis as well as comparisons of the top CAs to the Baseline Requirements. The main areas of the policies that were focused on are the issuance, revocation and expiration practices of the top 30 CAs as determined by the use of Tranco's list. We also determine the top CA groups, meaning the CAs whose policies are being used by the most other CAs as well as including a top 100 CAs list. The study suggests that the most popular CAs hold such a position because of two main reasons: they are easy to acquire and/or because they are connected to several other CAs.  The results suggest that some of the biggest vulnerabilities in the policies are what the CAs do not mention in any section as it puts the CA at risk for vulnerabilities. The results also suggest that the most dangerous attacks are social engineering attacks, as some of the stipulations for issuance and revocations make it possible to pretend to be the entity of subscribes to the certificate rather than a malicious one.

Certificate

Issuance

Revocation

Expiration

Certificate Authority

Certificate Policy

Certificate Practice Statement

Certificate Management

Policy review

Social engineering

CA/Browser forum

Baseline Requirements

Computer Sciences

Datavetenskap (datalogi)

Elektroninio parašo atributų sertifikavimas / Certification of electronic signature attributes

Lozda, Marius

27 June 2014

Darbe nagrinėjama atributinės informacijos sertifikavimo šiuo metu naudojamuose elektroniniuse parašuose problema. Trumpai apžvelgiami elektroninio parašo principai ir supažindinama su viešųjų raktų infrastruktūra, nurodant galimybes jai išplėsti, iškilus poreikiui užtikrinti aukštesnį saugumo lygį keičiantis papildoma (atributine) informacija. Nagrinėjami įvairūs atributinės informacijos sertifikavimo metodai, viešųjų raktų infrastruktūroje įvedant atributų sertifikato ir atributų sertifikavimo centro sąvokas. Pateikiamas tinkamiausio metodo pritaikymo pavyzdys, modeliuojant elektroninio parašo naudojimo situaciją, artimą dabartinei situacijai Lietuvoje. Sprendimo pritaikymas demonstruojamas apibrėžiant patobulintos elektroninio parašo infrastruktūros prototipą. / This paper analyses issues of attribute certification in currently used electronic signatures. Fundamentals of electronic signatures and public key infrastructure are briefly described, focusing on possibilities of achieving higher security level in communication when attribute information is important. Various suggestions for attribute certification are analysed, introducing atribute certificates and atribute authorities. Different certification methods are compared and evaluated, applying the most suitable one in the public key infrastructure usage model, that is constructed by simplifying the current situation of electronic signatures. The solution is represented by describing the prototype of improved electronic signature infrastructure.

Atributų sertifikavimas

Autorizacija

Autentifikacija

Atributinė informacija

Elektroninis parašas

Sertifikatas

Sertifikavimo centras

X.509

Parašo taisyklės

Prototipas

Skaitmeninis parašas

Viešųjų raktų infrastruktūra

Sertifikavimo veiklos nuostatai

Attribute certification

Authorization

Autentification

Digital signature

Electronic signature

Certificate

Certificate authority

Signature policy

Prototipe

Public key infrastructure

Certificate practice statement