skip to main content
10.1145/2488388.2488448acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure

Published: 13 May 2013 Publication History

Abstract

Recent trends in public-key infrastructure research explore the tradeoff between decreased trust in Certificate Authorities (CAs), resilience against attacks, communication overhead (bandwidth and latency) for setting up an SSL/TLS connection, and availability with respect to verifiability of public key information. In this paper, we propose AKI as a new public-key validation infrastructure, to reduce the level of trust in CAs. AKI integrates an architecture for key revocation of all entities (e.g., CAs, domains) with an architecture for accountability of all infrastructure parties through checks-and-balances. AKI efficiently handles common certification operations, and gracefully handles catastrophic events such as domain key loss or compromise. We propose AKI to make progress towards a public-key validation infrastructure with key revocation that reduces trust in any single entity.

References

[1]
Convergence. http://convergence.io/.
[2]
Perspectives Project. http://perspectives-project.org/.
[3]
The Monkeysphere Project. http://web.monkeysphere.info/, 2010.
[4]
Certificate Patrol. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/, 2011.
[5]
Public Key Pinning. http://www.imperialviolet.org/2011/05/04/pinning.html, May 2011.
[6]
Public Key Pinning Extension for HTTP. http://tools.ietf.org/html/draft-ietf-websec-key-pinning-01, Dec. 2011.
[7]
D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Technical report, RFC 5280 (Proposed Standard) Internet Engineering Task Force, 2008.
[8]
M. M. Correia and M. Tok. DNS-based Authentication of Named Entities (DANE). Technical report, Universidade do Porto, 2011--2012.
[9]
P. Eckersley. Sovereign Key Cryptography for Internet Domains. https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=HEAD.
[10]
P. Eckersley. A Syrian Man-In-The-Middle Attack against Facebook. https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook, May 2011.
[11]
P. Eckersley. Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get? https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https, Mar. 2011.
[12]
S. Egelman, L. F. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the SIGCHI conference on Human factors in computing systems (CHI), 2008.
[13]
Electronic Frontier Foundation. SSL Observatory. https://www.eff.org/observatory.
[14]
N. Falliere, L. O. Murchu, and E. Chien. W32.Stuxnet Dossier. Technical report, Symantec Corporation, 2011.
[15]
S. Haber and W. S. Stornetta. How to time-stamp a digital document. In Advances in Cryptology, CRYPTO, 1990.
[16]
J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard), Nov. 2012.
[17]
T. H.-J. Kim, V. Gligor, and A. Perrig. GeoPKI: Converting Spatial Trust into Certificate Trust. In Proceedings of the 9th European PKI Workshop (EuroPKI), Sep 2012.
[18]
T. H.-J. Kim, L.-S. Huang, A. Perrig, C. Jackson, and V. Gligor. Transparent Key Integrity (TKI): A Proposal for a Public-Key Validation Infrastructure. Technical Report Carnegie Mellon University-CyLab-12-016, Carnegie Mellon University, July 2012.
[19]
B. Laurie and E. Kasper. Revocation Transparency. http://sump2.links.org/files/RevocationTransparency.pdf.
[20]
B. Laurie and A. Langley. Certificate Authority Transparency and Auditability. http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf, 2011.
[21]
B. Laurie, A. Langley, and E. Kasper. Certificate Transparency certificate-transparency-draft. http://www.links.org/files/sunlight.html, Mar. 2012.
[22]
B. Laurie, A. Langley, and E. Kasper. Certificate Transparency. http://tools.ietf.org/html/draft-laurie-pki-sunlight-07, Jan. 2013.
[23]
M. Marlinspike. More Tricks For Defeating SSL In Practice. In Blackhat, 2009.
[24]
M. Marlinspike. SSL And The Future Of Authenticity. http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity, Apr 2011.
[25]
M. Marlinspike and T. Perrin. Trust Assertions for Certificiate Keys. http://tack.io/draft.html, May 2012.
[26]
M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. Technical report, RFC 2560 (Proposed Standard) Internet Engineering Task Force, 1999.
[27]
P. Roberts. Phony SSL Certificates issued for Google, Yahoo, Skype, Others. http://threatpost.com/en_us/blogs/phony-web-certificates-issued-google-yahoo-\ skype-others-032311, Mar. 2011.
[28]
C. Soghoian and S. Stamm. Certified Lies: Detecting and Defeating Government Interception Attacks against SSL. http://files.cloudprivacy.net/ssl-mitm.pdf, 2010.
[29]
E. Stark, L.-S. Huang, D. Israni, C. Jackson, and D. Boneh. The case for prefetching and prevalidating TLS server certificates. In Proceedings of the 19th Network and Distributed System Security Symposium, 2012.
[30]
T. Sterling. Second firm warns of concern after Dutch hack. http://news.yahoo.com/second-firm-warns-concern-dutch-hack-215940770.html, 2011.
[31]
J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the USENIX Security Symposium, 2009.
[32]
E. Topalovic, B. Saeta, L.-S. Huang, C. Jackson, and D. Boneh. Towards Short-Lived Certificates. In Web 2.0 Security and Privacy, May 2012.
[33]
D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In Proceedings of USENIX Annual Technical Conference, June 2008.
[34]
X. Zhang, H.-C. Hsiao, G. Hasker, H. Chan, A. Perrig, and D. Andersen. SCION: Scalability, control, and isolation on next-generation networks. In Proceedings of IEEE Symposium on Security and Privacy, May 2011.

Cited By

View all
  • (2025)PKChain: Compromise-Tolerant and Verifiable Public Key Management SystemIEEE Internet of Things Journal10.1109/JIOT.2024.347875412:3(3130-3144)Online publication date: 1-Feb-2025
  • (2024)Decentralized PKI Framework for Data Integrity in Spatial Crowdsourcing Drone Services2024 IEEE International Conference on Web Services (ICWS)10.1109/ICWS62655.2024.00084(643-653)Online publication date: 7-Jul-2024
  • (2024)A Semi-Decentralized PKI Based on Blockchain With a Stake-Based Reward-Punishment MechanismIEEE Access10.1109/ACCESS.2024.339465712(60705-60721)Online publication date: 2024
  • Show More Cited By

Index Terms

  1. Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    WWW '13: Proceedings of the 22nd international conference on World Wide Web
    May 2013
    1628 pages
    ISBN:9781450320351
    DOI:10.1145/2488388

    Sponsors

    • NICBR: Nucleo de Informatcao e Coordenacao do Ponto BR
    • CGIBR: Comite Gestor da Internet no Brazil

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 May 2013

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. accountability
    2. certificate validation
    3. public log servers
    4. public-key infrastructure
    5. ssl
    6. tls

    Qualifiers

    • Research-article

    Conference

    WWW '13
    Sponsor:
    • NICBR
    • CGIBR
    WWW '13: 22nd International World Wide Web Conference
    May 13 - 17, 2013
    Rio de Janeiro, Brazil

    Acceptance Rates

    WWW '13 Paper Acceptance Rate 125 of 831 submissions, 15%;
    Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)28
    • Downloads (Last 6 weeks)6
    Reflects downloads up to 08 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)PKChain: Compromise-Tolerant and Verifiable Public Key Management SystemIEEE Internet of Things Journal10.1109/JIOT.2024.347875412:3(3130-3144)Online publication date: 1-Feb-2025
    • (2024)Decentralized PKI Framework for Data Integrity in Spatial Crowdsourcing Drone Services2024 IEEE International Conference on Web Services (ICWS)10.1109/ICWS62655.2024.00084(643-653)Online publication date: 7-Jul-2024
    • (2024)A Semi-Decentralized PKI Based on Blockchain With a Stake-Based Reward-Punishment MechanismIEEE Access10.1109/ACCESS.2024.339465712(60705-60721)Online publication date: 2024
    • (2023)BRT: An Efficient and Scalable Blockchain-Based Revocation Transparency System for TLS ConnectionsSensors10.3390/s2321881623:21(8816)Online publication date: 30-Oct-2023
    • (2023)A Public Key Infrastructure for 5G Service-Based Architecture2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00209(1532-1539)Online publication date: 1-Nov-2023
    • (2023)SECMACE+: Upscaling Pseudonymous Authentication for Large Mobile SystemsIEEE Transactions on Cloud Computing10.1109/TCC.2023.3250584(1-18)Online publication date: 2023
    • (2023)AUC: Accountable Universal Composability2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179384(1148-1167)Online publication date: May-2023
    • (2023)A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger TechnologiesIEEE Communications Surveys & Tutorials10.1109/COMST.2023.332364025:4(2529-2568)Online publication date: Dec-2024
    • (2023)LRS_PKIComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.110043237:COnline publication date: 1-Dec-2023
    • (2022)Temporal Analysis of X.509 Revocations and their Statuses2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00032(258-265)Online publication date: Jun-2022
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media