A compliance-based ranking of certificate authorities using probabilistic approaches

IF 2.4 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS International Journal of Information Security Pub Date : 2024-05-29 DOI:10.1007/s10207-024-00867-3

Kashif Junaid, Muhammad Umar Janjua, Junaid Qadir

{"title":"A compliance-based ranking of certificate authorities using probabilistic approaches","authors":"Kashif Junaid, Muhammad Umar Janjua, Junaid Qadir","doi":"10.1007/s10207-024-00867-3","DOIUrl":null,"url":null,"abstract":"<p>The security of the global Certification Authority (CA) system has recently been compromised as a result of attacks on the Public Key Infrastructure (PKI). Although the CA/Browser (CA/B) Forum publishes compliance requirements for CAs, there are no guarantees that even a commercially successful CA is complying with these recommendations. In this paper, we propose the first systematic CA ranking mechanism that ranks CAs in terms of their adherence to the CA/B Forum and X.509 certificate standards. Unfortunately, there is no consolidated and widely accepted parameter to rank the CAs so we have proposed formula-based rating models and introduced different ranking techniques like Direct, Bayesian, and MarkovChain Ranking. These rankings are applied to a comprehensive dataset of X.509 trust chains gathered during the time period of 2020 to 2023. Our proposed ranking scheme can serve as a criterion for both consumers and enterprises for selecting and prioritizing CAs based on performance as well as adherence to the certificate standards. </p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"243 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-05-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00867-3","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The security of the global Certification Authority (CA) system has recently been compromised as a result of attacks on the Public Key Infrastructure (PKI). Although the CA/Browser (CA/B) Forum publishes compliance requirements for CAs, there are no guarantees that even a commercially successful CA is complying with these recommendations. In this paper, we propose the first systematic CA ranking mechanism that ranks CAs in terms of their adherence to the CA/B Forum and X.509 certificate standards. Unfortunately, there is no consolidated and widely accepted parameter to rank the CAs so we have proposed formula-based rating models and introduced different ranking techniques like Direct, Bayesian, and MarkovChain Ranking. These rankings are applied to a comprehensive dataset of X.509 trust chains gathered during the time period of 2020 to 2023. Our proposed ranking scheme can serve as a criterion for both consumers and enterprises for selecting and prioritizing CAs based on performance as well as adherence to the certificate standards.

Abstract Image

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

使用概率方法对证书颁发机构进行基于合规性的排名

由于公钥基础设施（PKI）受到攻击，全球认证机构（CA）系统的安全性最近受到了威胁。尽管 CA/B 浏览器（CA/B）论坛公布了对 CA 的合规要求，但即使是商业上成功的 CA 也不能保证一定遵守了这些建议。在本文中，我们提出了第一个系统的 CA 排名机制，根据 CA/B 论坛和 X.509 证书标准的遵守情况对 CA 进行排名。遗憾的是，目前还没有一个综合的、被广泛接受的参数来对 CA 进行排名，因此我们提出了基于公式的评级模型，并引入了不同的排名技术，如直接排名、贝叶斯排名和 MarkovChain 排名。这些排名适用于 2020 年至 2023 年期间收集的 X.509 信任链综合数据集。我们提出的排名方案可作为消费者和企业根据性能和证书标准的遵守情况选择和优先考虑 CA 的标准。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

International Journal of Information Security 工程技术-计算机：理论方法

CiteScore

6.30

自引率

3.10%

发文量

审稿时长

12 months

期刊介绍： The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.