F-PKI: Enabling Innovation and Trust Flexibility in the HTTPS Public-Key Infrastructure

Laurent Chuat, Cyrill Krähenbühl, Prateek Mittal, Adrian Perrig

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

We present F-PKI, an enhancement to the HTTPS public-key infrastructure (or web PKI) that gives trust flexibility to both clients and domain owners, and enables certification authorities (CAs) to enforce stronger security measures. In today's web PKI, all CAs are equally trusted, and security is defined by the weakest link. We address this problem by introducing trust flexibility in two dimensions: with F-PKI, each domain owner can define a domain policy (specifying, for example, which CAs are authorized to issue certificates for their domain name) and each client can set or choose a validation policy based on trust levels. F-PKI thus supports a property that is sorely needed in today's Internet: trust heterogeneity. Different parties can express different trust preferences while still being able to verify all certificates. In contrast, today's web PKI only allows clients to fully distrust suspicious/misbehaving CAs, which is likely to cause collateral damage in the form of legitimate certificates being rejected. Our contribution is to present a system that is backward compatible, provides sensible security properties to both clients and domain owners, ensures the verifiability of all certificates, and prevents downgrade attacks. Furthermore, F-PKI provides a ground for innovation, as it gives CAs an incentive to deploy new security measures to attract more customers, without having these measures undercut by vulnerable CAs.

Original languageEnglish (US)
Title of host publication29th Annual Network and Distributed System Security Symposium, NDSS 2022
PublisherThe Internet Society
ISBN (Electronic)1891562746, 9781891562747
DOIs
StatePublished - 2022
Event29th Annual Network and Distributed System Security Symposium, NDSS 2022 - Hybrid, San Diego, United States
Duration: Apr 24 2022Apr 28 2022

Publication series

Name29th Annual Network and Distributed System Security Symposium, NDSS 2022

Conference

Conference29th Annual Network and Distributed System Security Symposium, NDSS 2022
Country/TerritoryUnited States
CityHybrid, San Diego
Period4/24/224/28/22

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Control and Systems Engineering
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'F-PKI: Enabling Innovation and Trust Flexibility in the HTTPS Public-Key Infrastructure'. Together they form a unique fingerprint.

Cite this