WebPKI and You
5 days ago
- #WebPKI
- #HTTPS
- #Certificate Authorities
- HTTPS was introduced to protect web traffic from surveillance and attacks on public networks.
- WebPKI is a public key infrastructure that ensures only authorized servers have keys for specific websites, involving CAs and root programs.
- Certificate Authorities (CAs) validate and issue certificates containing server addresses, public keys, validation details, and CA signatures.
- Certificate types include Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV), each with different validation levels.
- Certificate Transparency (CT) logs were developed to prevent fraudulent certificates by making CA-issued certificates publicly observable.
- Certificate revocation methods include Certificate Revocation Lists (CRLs), Online Certificate Status Protocol (OCSP), and OCSP stapling.
- Short-lived certificates reduce the need for revocation by expiring quickly, automating the issuance process.
- Private CAs can be used for internal systems, avoiding the complexities and public scrutiny of WebPKI.
- Incidents like Trustico's private key disclosure and Entrust's delayed revocation highlight systemic issues in CA practices.
- Microsoft's handling of a massive certificate revocation revealed operational challenges and transparency issues.
- Future improvements to WebPKI could include stricter CA restrictions, subscriber CAs, and better use of ACME Renewal Information (ARI).
- Auditing CAs is required but suffers from conflicts of interest and lagging indicators of problems.
- Relying parties have limited power to influence CA behavior, relying on root programs and public pressure for accountability.