Abstract
X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs, returned in a Verifiable Presentation (VP). We propose a generic communication workflow to request and present VPs, and provide proof-of-concept of the viability of our approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
Identifiers for EV and OV certificates include also organization name, address, business category, etc.
- 4.
References
Aas, J., et al.: Let’s encrypt: an automated certificate authority to encrypt the entire web. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2473–2487 (2019)
Barnes, R., Hoffman-Andrews, J., McCarney, D., Kasten, J.: Automatic certificate management environment (ACME). Technical report (2019)
CA/Browser Forum: Guidelines for the issuance and management of extended validation certificates (2022). https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-1.8.0.pdf
CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates (2023). https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf
Chadwick, K.N., Vercammen, J.: OpenID for verifiable credentials (2022)
Curren, S., Looker, T., Terbu, O.: DIDComm messaging v2.1 editor’s draft (2022). https://identity.foundation/didcomm-messaging/spec/v2.1
Daniel, B., Brent, Z., Martin, R., Kim, H.D.: Presentation exchange (2022). https://identity.foundation/presentation-exchange/
Internet Engineering Task Force (IETF): Json web signature (JWS) (2015). https://www.rfc-editor.org/rfc/rfc7515
Internet Security Research Group (ISRG): 2022 ISRG annual report (2023). https://www.abetterinternet.org/documents/2022-ISRG-Annual-Report.pdf
Jones, M., Bradley, J., Sakimura, N.: Json web token (JWT). Technical report (2015)
Krombholz, K., Mayer, W., Schmiedecker, M., Weippl, E.: “i have no idea what i’m doing”-on the usability of deploying HTTPS (2017)
Matthew, B., Jonathan, S., Ziegler, A.C., Philip, K., Wallach, D.S., Alex, H.J.: On the usability of https deployment. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–10 (2019)
Sedlmeir, J., Smethurst, R., Rieger, A., Fridgen, G.: Digital identities and verifiable credentials. Bus. Inf. Syst. Eng. 63(5), 603–613 (2021)
The Internet Society: PKCS#10: Certification request syntax specification version 1.7 (2000). https://www.rfc-editor.org/rfc/rfc2986
Thompson, C., Shelton, M., Stark, E., Walker, M., Schechter, E., Felt, A.P.: The web’s identity crisis: understanding the effectiveness of website identity indicators, pp. 1715–1732 (2019)
W3C Community Group: Credential handler API 1.0 (2021). https://w3c-ccg.github.io/credential-handler-api/
W3C Community Group: Verifiable presentation request v0.2 (2022). https://w3c-ccg.github.io/vp-request-spec/
W3C Working Draft: Securing verifiable credentials using JSON web tokens (2023). https://www.w3.org/TR/vc-jwt/
W3C Working Draft: Verifiable credential data integrity 1.0 (2023). https://www.w3.org/TR/vc-data-integrity/
Wazan, A.S., Laborde, R., Chadwick, D.W., Barrere, F., Benzekri, A.: TLS connection validation by web browsers: why do web browsers still not agree? In: 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), vol. 1, pp. 665–674. IEEE (2017)
Wazan, A.S., et al.: On the validation of web X.509 certificates by TLS interception products. IEEE Trans. Dependable Secure Comput. 19(1), 227–242 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Morales, D.A.C., Wazan, A.S., Chadwick, D.W., Laborde, R., Maramara, A.R.R., Cabral, K. (2024). Enhancing the ACME Protocol to Automate the Management of All X.509 Web Certificates. In: Meyer, N., Grocholewska-Czuryło, A. (eds) ICT Systems Security and Privacy Protection. SEC 2023. IFIP Advances in Information and Communication Technology, vol 679. Springer, Cham. https://doi.org/10.1007/978-3-031-56326-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-56326-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56325-6
Online ISBN: 978-3-031-56326-3
eBook Packages: Computer ScienceComputer Science (R0)
