微信服务号

微信订阅号

2025-4-5- 13
Home > Archive>Volume , Issue , >1-25. DOI:10.13328/j.cnki.jos.007305
PDF HTML XML Export Cite reminder
Research and Progress of PKI Technology
Author:
Affiliation:

Clc Number:

TP309

  • Article
    • | |
  • Metrics
    • |
  • Reference [112]
    • | |
  • Cited by [0]
    • | |
  • Comments
    Abstract:

    PKI system is currently an important facility for users to securely access basic resources. It ensures the security of users’ access to resources through public third-party authentication. With the gradual deployment and application of PKI technology, various security issues in deployment arise. Attackers can steal user information and disrupt user access by attacking the PKI system. This study starts from the basic working principle of PKI and comprehensively introduces all the elements involved in the practical deployment and application of the PKI system, including PKI architecture, workflow, certificates, certificate chains, certificate revocation, and CI log services. Based on the basic working principles of PKI, this study focuses on comprehensively sorting out and summarizing the security issues that the PKI system faces during its operation from the perspective of PKI system security, including operational and technical risks, measurement and risk detection of PKI system, and various risk prevention technologies for PKI systems. Finally, future research directions in the field of PKI are prospected.

    Reference
    [1] Kohnfelder L. Towards a practical public-key cryptosystem [BS. Thesis]. Cambridge: Massachusetts Institute of Technology, 1978.
    [2] CA/Browser Forum. Baseline requirements for the issuance and management of publicly-trusted certificates, v.1.1. 2011. https://www.cabforum.org/Baseline_Requirements_V1_1.pdf
    [3] 林璟锵, 荆继武, 张琼露, 王展. PKI 技术的近年研究综述. 密码学报, 2015, 2(6): 487–496.
    Lin JQ, Jing JW, Zhang QL, Wang Z. Recent advances in PKI technologies. Journal of Cryptologic Research, 2015, 2(6): 487–496 (in Chinese with English abstract).
    [4] Clark J, van Oorschot PC. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In: Proc. of the 2013 IEEE Symp. on Security and Privacy. Berkeley: IEEE, 2013. 511–525. [doi: 10.1109/SP.2013.41]
    [5] Cooper D, Santesson S, Farrell S, Boeyen S, Housley R, Polk T. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. 2008. https://www.rfc-editor.org/rfc/rfc5280.html
    [6] Dierks T, Rescorla E. The transport layer security (TLS) protocol version 1.2. 2008. https://www.rfc-editor.org/rfc/rfc5246.html
    [7] CA/Browser Forum. Baseline requirements for the issuance and management of publicly-trusted TLS server certificates version 2.0.6. 2024. https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.0.6.pdf
    [8] Housley R, Ford W, Polk W, Solo D. Internet X.509 public key infrastructure certificate and CRL profile. 1999. https://www.rfc-editor.org/rfc/rfc2459.html
    [9] Malone M. Everything you should know about certificates and PKI but are too afraid to ask. 2024. https://smallstep.com/blog/everything-pki/
    [10] Hiller J, Amann J, Hohlfeld O. The boon and bane of cross-signing: Shedding light on a common practice in public key infrastructures. In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. New York: ACM, 2020. 1289–1306. [doi: 10.1145/3372297.3423345]
    [11] Wahl M, Kille S, Howes T. Lightweight-directory-access-protocol-V3. 1997. https://www.rfc-editor.org/rfc/rfc2251.html
    [12] Ellison C, Schneier B. Ten risks of PKI: What you’re not being told about public key infrastructure. Computer Security Journal, 2000, 16(1): 1–7.
    [13] Myers M, Ankney R, Malpani A, Galperin S, Adams C. X.509 Internet public key infrastructure online certificate status protocol-OCSP. 1999. https://www.rfc-editor.org/rfc/rfc2560.html
    [14] Pettersen Y. The transport layer security (TLS) multiple certificate status request extension. 2013. https://www.rfc-editor.org/rfc/rfc6961.html [doi: 10.17487/RFC6961]
    [15] 何斌. PKI中证书撤销机制的改进与研究 [硕士学位论文]. 上海: 上海交通大学, 2015.
    He B. Improvement and research on mechanism of certificate revocation based on PKI [MS. Thesis]. Shanghai: Shanghai Jiao Tong University, 2015 (in Chinese with English abstract).
    [16] 王杰. 基于商密SM2算法的证书状态查询机制设计与实现 [硕士学位论文]. 西安: 西安电子科技大学, 2015.
    Wang J. Design and implementation of certificate status query system based on SM2 [MS. Thesis]. Xi’an: Xidian University, 2015 (in Chinese with English abstract).
    [17] Liu YB, Tome W, Zhang L, Choffnes D, Levin D, Maggs B, Mislove A, Schulman A, Wilson C. An end-to-end measurement of certificate revocation in the Web’s PKI. In: Proc. of the 2015 Internet Measurement Conf. Tokyo: ACM, 2015. 183–196. [doi: 10.1145/2815675.2815685]
    [18] Google group. How CT fits into the wider Web PKI ecosystem. 2013. https://certificate.transparency.dev/howctworks/
    [19] Laurie B, Langley A, Kasper E. Certificate transparency. 2013. https://www.rfc-editor.org/rfc/rfc6962.html
    [20] Laurie B, Messeri E, Stradling R. Certificate transparency version 2.0. 2021. https://www.rfc-editor.org/rfc/rfc9162.html
    [21] Ryan MD. Enhanced certificate transparency and end-to-end encrypted mail. In: Proc. of the 21st Annual Network and Distributed System Security Symp. San Diego: The Internet Society, 2014. 1–14.
    [22] Szalachowski P, Matsumoto S, Perrig A. PoliCert: Secure and flexible TLS certificate management. In: Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security. Scottsdale: ACM, 2014. 406–417. [doi: 10.1145/2660267.2660355]
    [23] Basin D, Cremers C, Kim THJ, Perrig A, Sasse R, Szalachowski P. ARPKI: Attack resilient public-key infrastructure. In: Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security. Scottsdale: ACM, 2014. 382–393. [doi: 10.1145/2660267.2660298]
    [24] Dowling B, Günther F, Herath U, Stebila D. Secure logging schemes and certificate transparency. In: Proc. of the 21st European Symp. on Research in Computer Security on Computer Security. Heraklion: Springer, 2016. 140–158. [doi: 10.1007/978-3-319-45741-3_8]
    [25] Chuat L, Szalachowski P, Perrig A, Laurie B, Messeri E. Efficient gossip protocols for verifying the consistency of certificate logs. In: Proc. of the 2015 IEEE Conf. Communications and Network Security. Florence: IEEE, 2015. 415–423.
    [26] Nordberg L, Gillmor D, Ritter T. Gossiping in CT. draft-ietf-trans-gossip-05. 2018. https://datatracker.ietf.org/doc/draft-ietf-trans-gossip/05/
    [27] Eskandarian S, Messeri E, Bonneau J, Boneh D. Certificate transparency with privacy. Proc. on Privacy Enhancing Technologies, 2017, 2017(4): 329–344.
    [28] Matsumoto S, Szalachowski P, Perrig A. Deployment challenges in log-based PKI enhancements. In: Proc. of the 8th European Workshop on System Security. Bordeaux: ACM, 2015. 1. [doi: 10.1145/2751323.2751324]
    [29] Szalachowski P, Chuat L, Perrig A. PKI safety net (PKISN): Addressing the too-big-to-be-revoked problem of the TLS ecosystem. In: Proc. of the 2016 IEEE European Symp. on Security and Privacy. Saarbruecken: IEEE, 2016. 407–422. [doi: 10.1109/EuroSP.2016.38]
    [30] Melara MS, Blankstein A, Bonneau J, Felten EW, Freedman MJ. CONIKS: Bringing key transparency to end users. In: Proc. of the 24th USENIX Conf. on Security Symp. Washington: USENIX Association, 2015. 383–398.
    [31] Hof B, Carle G. Software distribution transparency and auditability. arXiv:1711.07278, 2017.
    [32] Stark E, Sleevi R, Muminovic R, O’Brien D, Messeri E, Felt AP, McMillion B, Tabriz P. Does certificate transparency break the Web? Measuring adoption and error rate. In: Proc. of the 2019 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2019. 211–226.
    [33] Gustafsson J, Overier G, Arlitt M, Carlsson N. A first look at the CT landscape: Certificate transparency logs in practice. In: Proc. of the 18th Int’l Conf. on Passive and Active Measurement. Sydney: Springer, 2017. 87–99. [doi: 10.1007/978-3-319-54328-4_7]
    [34] Nykvist C, Sjöström L, Gustafsson J, Carlsson N. Server-side adoption of certificate transparency. In: Proc. of the 19th Int’l Conf. on Passive and Active Measurement. Berlin: Springer, 2018. 186–199. [doi: 10.1007/978-3-319-76481-8_14]
    [35] Amann J, Gasser O, Scheitle Q, Brent L, Carle G, Holz R. Mission accomplished?: HTTPS security after DigiNotar. In: Proc. of the 2017 Internet Measurement Conf. London: ACM, 2017. 325–340. [doi: 10.1145/3131365.3131401]
    [36] Scheitle Q, Gasser O, Nolte T, Amann J, Brent L, Carle G, Holz R, Schmidt TC, Wählisch M. The rise of certificate transparency and its implications on the Internet ecosystem. In: Proc. of the 2018 Internet Measurement Conf. Boston: ACM, 2018. 343–349.
    [37] Li BY, Chu DW, Lin JQ, Cai QW, Wang CL, Meng LJ. The weakest link of certificate transparency: Exploring the TLS/HTTPS configurations of third-party monitors. In: Proc. of the 18th IEEE Int’l Conf. on Trust, Security and Privacy in Computing and Communications/the 13th IEEE Int’l Conf. on Big Data Science and Engineering. Rotorua: IEEE, 2019. 216–223.
    [38] VanderSloot B, Amann J, Bernhard M, Durumeric Z, Bailey M, Halderman JA. Towards a complete view of the certificate ecosystem. In: Proc. of the 2016 Internet Measurement Conf. Santa Monica: ACM, 2016. 543–549.
    [39] Aertsen M, Korczyński M, Moura GCM, Tajalizadehkhoob S, van den Berg J. No domain left behind: Is Let’s Encrypt democratizing encryption? In: Proc. of the 2017 Applied Networking Research Workshop. Prague: ACM, 2017. 48–54.
    [40] Gasser O, Hof B, Helm M, Korczynski M, Holz R, Carle G. In log we trust: Revealing poor security practices with certificate transparency logs and Internet measurements. In: Proc. of the 19th Int’l Conf. on Passive and Active Measurement. Berlin: Springer, 2018. 173–185. [doi: 10.1007/978-3-319-76481-8_13]
    [41] Cui MX, Cao ZG, Xiong G. How is the forged certificates in the wild: Practice on large-scale SSL usage measurement and analysis. In: Proc. of the 18th Int’l Conf. on Computational Science. Wuxi: Springer, 2018. 654–667. [doi: 10.1007/978-3-319-93713-7_62]
    [42] HTTPS encryption on the Web—Google transparency report. 2024. https://transparencyreport.google.com/?hl=en
    [43] Holz R, Braun L, Kammenhuber N, Carle G. The SSL landscape: A thorough analysis of the X.509 PKI using active and passive measurements. In: Proc. of the 2011 ACM SIGCOMM Conf. on Internet Measurement Conf. Berlin: ACM, 2011. 427–444. [doi: 10.1145/2068816.2068856]
    [44] Chung T, Liu YB, Choffnes D, Levin D, Maggs BM, Mislove A, Wilson C. Measuring and applying invalid SSL certificates: The silent majority. In: Proc. of the 2016 Internet Measurement Conf. Santa Monica: ACM, 2016. 527–541. [doi: 10.1145/2987443.2987454]
    [45] Georgiev M, Iyengar S, Jana S, Anubhai R, Boneh D, Shmatikov V. The most dangerous code in the world: Validating SSL certificates in non-browser software. In: Proc. of the 2012 ACM Conf. on Computer and Communications Security. Raleigh North: ACM, 2012. 38–49. [doi: 10.1145/2382196.2382204]
    [46] Fahl S, Harbach M, Muders T, Baumgärtner L, Freisleben B, Smith M. Why eve and mallory love Android: An analysis of Android SSL (in) security. In: Proc. of the 2012 ACM Conf. on Computer and Communications Security. Raleigh North: ACM, 2012. 50–61. [doi: 10.1145/2382196.2382205]
    [47] Jarmoc J. SSL/TLS interception proxies and transitive trust. 2012. https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-WP.pdf
    [48] Appelbaum J. Detecting certificate authority compromises and Web browser collusion. 2011. http://blog.torproject.org/detecting-certificate-authority-compromises-and-web-browser-collusion
    [49] Hoogstraaten H. Black tulip report of the investigation into the DigiNotar certificate authority breach. 2012. https://www.researchgate.net/publication/269333601_Black_Tulip_Report_of_the_investigation_into_the_DigiNotar_Certificate_Authority_breach [doi: 10.13140/2.1.2456.7364]
    [50] Mozilla Wiki. CA: WoSign issues. 2015. https://wiki.mozilla.org/CA/WoSign_Issues
    [51] Roberts R, Goldschlag Y, Walter R, Chung T, Mislove A, Levin D. You are who you appear to be: A longitudinal study of domain impersonation in TLS certificates. In: Proc. of the 2019 ACM SIGSAC Conf. Computer and Communications Security. London: ACM, 2019. 2489–2504. [doi: 10.1145/3319535.3363188]
    [52] Watchguard Internet Security Report: Q4 2022. 2022. https://www.watchguard.com/wgrd-resource-center/security-report-q4-2022
    [53] Durumeric Z, Kasten J, Bailey M, Halderman JA. Analysis of the HTTPS certificate ecosystem. In: Proc. of the 2013 Conf. on Internet Measurement Conf. Barcelona: ACM, 2013. 291–304. [doi: 10.1145/2504730.2504755]
    [54] Kotzias P, Razaghpanah A, Amann J, Paterson KG, Vallina-Rodriguez N, Caballero J. Coming of age: A longitudinal study of TLS deployment. In: Proc. of the 2018 Internet Measurement Conf. Boston: ACM, 2018. 415–428. [doi: 10.1145/3278532.3278568]
    [55] Holz R, Hiller J, Amann J, Razaghpanah A, Jost T, Vallina-Rodriguez N, Hohlfeld O. Tracking the deployment of TLS 1.3 on the Web: A story of experimentation and centralization. ACM SIGCOMM Computer Communication Review, 2020, 50(3): 3–15.
    [56] CA/Browser Forum. Baseline requirements for the issuance and management of policy-trusted certificates, v1.1.5. 2013. https://cabforum.org/uploads/Baseline_Requirements_V1_1_5.pdf
    [57] Delignat-Lavaud A, Abadi M, Birrell A, Mironov I, Wobber T, Xie YL. Web PKI: Closing the gap between guidelines and practices. In: Proc. of the 21st Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2014.
    [58] Dong Z, Kane K, Camp LJ. Detection of rogue certificates from trusted certificate authorities using deep neural networks. ACM Trans. on Privacy and Security (TOPS), 2016, 19(2): 5.
    [59] Brubaker C, Jana S, Ray B, Khurshid S, Shmatikov V. Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In: Proc. of the 2014 IEEE Symp. on Security and Privacy. Berkeley: IEEE, 2014. 114–129.
    [60] Chau SY, Chowdhury O, Hoque E, Ge HY, Kate A, Nita-Rotaru C, Li NH. SymCerts: Practical symbolic execution for exposing noncompliance in X.509 certificate validation implementations. In: Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose: IEEE, 2017. 503–520. [doi: 10.1109/SP.2017.40]
    [61] de Carné de Carnavalet X, Mannan M. Killed by proxy: Analyzing client-end TLS interception software. In: Proc. of the 2016 Network and Distributed System Security Symp. San Diego: Internet Society, 2016.
    [62] Waked L, Mannan M, Youssef A. To intercept or not to intercept: Analyzing TLS interception in network appliances. In: Proc. of the 2018 on Asia Conf. on Computer and Communications Security. Incheon: ACM, 2018. 399–412. [doi: 10.1145/3196494.3196528]
    [63] Durumeric Z, Ma Z, Springall D, Barnes R, Sullivan N, Bursztein E, Bailey MD, Halderman JA, Paxson V. The security impact of HTTPS interception. In: Proc. of the 24th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2017.
    [64] Zhang L, Choffnes D, Dumitraş T, Levin D, Mislove A, Schulman A, Wison C. Analysis of SSL certificate reissues and revocations in the wake of heartbleed. In: Proc. of the 2014 Conf. on Internet Measurement Conf. Vancouver: ACM, 2014. 489–502.
    [65] Huang LS, Rice A, Ellingsen E, Jackson C. Analyzing forged SSL certificates in the wild. In: Proc. of the 2014 IEEE Symp. on Security and Privacy. Berkeley: IEEE, 2014. 83–97. [doi: 10.1109/SP.2014.13]
    [66] O’Neill M, Ruoti S, Seamons K, Zappala D. TLS proxies: Friend or foe? In: Proc. of the 2016 Internet Measurement Conf. Santa Monica: ACM, 2016. 551–557. [doi: 10.1145/2987443.2987488]
    [67] Zhang YM, Liu BJ, Lu CY, Li Z, Duan HX, Li JC, Zhang ZF. Rusted anchors: A national client-side view of hidden root CAs in the Web PKI ecosystem. In: Proc. of the 2021 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2021. 1373–1387. [doi: 10.1145/3460120.3484768]
    [68] Ma Z, Mason J, Antonakakis M, Durumeric Z, Bailey MD. What’s in a name? Exploring CA certificate control. In: Proc. of the 30th USENIX Security Symp. USENIX Association, 2021. 4383–4400.
    [69] Birge-Lee H, Sun YX, Edmundson A, Rexford J, Mittal P. Bamboozling certificate authorities with BGP. In: Proc. of the 27th USENIX Conf. Security Symp. Baltimore: USENIX Association, 2018. 833–849.
    [70] Wendlandt D, Andersen DG, Perrig A. Perspectives: Improving SSH-style host authentication with multi-path probing. In: Proc. of the 2008 USENIX Annual Technical Conf. Boston: USENIX Association, 2008. 321–334.
    [71] Marlinspike M. Convergence. 2012. http://convergence.io
    [72] Alicherry M, Keromytis AD. DoubleCheck: Multi-path verification against man-in-the-middle attacks. In: Proc. of the 2009 IEEE Symp. on Computers and Communications. Sousse: IEEE, 2009. 557–563. [doi: 10.1109/ISCC.2009.5202224]
    [73] DetecTor. 2009. http://www.detector.io
    [74] The ICSI certificate notary. 2015. https://icsi.berkeley.edu/icsi/node/5065
    [75] EFF. The EFF SSL observatory. 2015. https://www.eff.org/Observatory
    [76] Emre Y, Ali AS. Server notaries: A complementary approach to the Web PKI trust model. IET Information Security. 2018, 12: 455–461.
    [77] Wazan AS, Laborde R, Barrère F, Benzekri A. The X.509 trust model needs a technical and legal expert. In: Proc. of the 2012 IEEE Int’l Conf. on Communications. Ottawa: IEEE, 2012. 6895–6900. [doi: 10.1109/ICC.2012.6364860]
    [78] ITU X.509. Information technology-open systems interconnection-the directory: Public-key and attribute certificate frameworks. 2019. https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=13031
    [79] Samer WA, Romain L, Francois B, AbdelMalek B. A formal model of trust for calculating the quality of X.509 certificate. Security and Communication Networks, 2011, 4(6): 651–665.
    [80] Wazan AS, Laborde R, Chadwick DW, Barrere F, Benzekri A, Kaiiali M, Habbal A. Trust management for public key infrastructures: Implementing the X.509 trust broker. Security and Communication Networks, 2017, 2017(1): 6907146.
    [81] Freeman T, Housley R, Malpani A, Cooper D, Polk W. Server-based certificate validation protocol (SCVP). 2007. https://www.rfc-editor.org/rfc/rfc5055.html
    [82] Abadi M, Birrell A, Mironov I, Wobber T, Xie YL. Global authentication in an untrustworthy world. In: Proc. of the 14th USENIX Conf. on Hot Topics in Operating Systems. Santa Ana Pueblo: USENIX Association, 2013. 19.
    [83] Yee P. Updates to the Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. 2013. https://www.rfc-editor.org/rfc/rfc6818.html
    [84] Eastlake III D. Transport layer security (TLS) extensions: Extension definitions. 2011. https://www.rfc-editor.org/rfc/rfc6066.html
    [85] Rivest RL. Can we eliminate certificate revocation lists? In: Proc. of the 2nd Int’l Conf. on Financial Cryptography. Anguilla: Springer, 1998. 178–183. [doi: 10.1007/BFb0055482]
    [86] Levi A, Caglayan MU, Koc CK. Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM Trans. on Information and System Security (TISSEC), 2004, 7(1): 21–59.
    [87] Allen C, Brock A, Buterin V. Decentralized public key infrastructure. A white paper from rebooting the Web of trust. 2015. https://raw.githubusercontent.com/WebOfTrustInfo/rwot1-sf/master/final-documents/dpki.pdf
    [88] Wang Z, Lin JQ, Cai QW, Wang QX, Zha DR, Jing JW. Blockchain-based certificate transparency and revocation transparency. IEEE Trans. on Dependable and Secure Computing, 2022, 19(1): 681–697.
    [89] Kubilay MY, Kiraz MS, Mantar HA. CertLedger: A new PKI model with certificate transparency based on blockchain. Computers & Security, 2019, 85: 333–352.
    [90] Chen J, Yao SX, Yuan Q, He K, Ji SL, Du RY. CertChain: Public and efficient certificate audit based on blockchain for TLS connections. In: Proc. of the 2018 IEEE Conf. on Computer Communications. Honolulu: IEEE, 2018. 2060–2068. [doi: 10.1109/INFOCOM.2018.8486344]
    [91] Yan JZ, Yang B, Su L, He S. Storage optimization for certificates in blockchain based PKI system. In: Proc. of the 3rd CCF China Blockchain Conf. on Blockchain Technology and Application. Jinan: Springer, 2021. 116–125. [doi: 10.1007/978-981-33-6478-3_8]
    [92] Zhai ZH, Shen SB, Mao YQ. BPKI: A secure and scalable blockchain-based public key infrastructure system for Web services. Journal of Information Security and Applications, 2022, 68: 103226.
    [93] Saleem T, Janjua MU, Hassan M, Ahmad T, Tariq F, Hafeez K, Salal MA, Bilal MD. ProofChain: An X.509-compatible blockchain-based PKI framework with decentralized trust. Computer Networks, 2022, 213: 109069.
    [94] Public key pinning. 2011. http://www.imperialviolet.org/2011/05/04/pinning.html
    [95] Evans C, Palmer C. Public key pinning extension for HTTP. draft-ietf-websec-key-pinning-01. 2011. https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning-01
    [96] Evans C, Palmer C, Sleevi R. Public key pinning extension for HTTP. 2015. https://www.rfc-editor.org/rfc/rfc7469.html
    [97] Kranch M, Bonneau J. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In: Proc. of the 22nd Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2015.
    [98] Marlinspike M. Trust assertions for certificate keys. draft-perrin-tls-tack-02.txt. 2013. https://datatracker.ietf.org/doc/draft-perrin-tls-tack/02/
    [99] Hoffman P, Schlyter J. The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. 2012. https://www.rfc-editor.org/rfc/rfc6698.html
    [100] Dukhovni V, Hardaker W. The DNS-based authentication of named entities (DANE) protocol: Updates and operational guidance. 2015. https://www.rfc-editor.org/rfc/rfc7671.html
    [101] Laurie B, Kasper E. Revocation transparency. 2012. https://www.links.org/files/ RevocationTransparency.pdf
    [102] Ryan MD. Enhanced certificate transparency and end-to-end encrypted mail. 2013. https://markryan.eu/research/papers/pdf/14-ndss-cert.pdf
    [103] Sleevi R. Certificate transparency in Chrome—Change to enforcement date. 2017. https://groups.google.com/a/chromium.org/g/ct-policy/c/sz_3W_xKBNY/m/6jq2ghJXBAAJ
    [104] Apple. Apple’s certificate transparency policy. 2024. https://support.apple.com/en-us/HT205280
    [105] Drury V, Meyer U. Certified phishing: Taking a look at public key certificates of phishing websites. In: Proc. of the 15th USENIX Conf. on Usable Privacy and Security. Santa Clara: USENIX Association, 2019. 211–223.
    [106] Li BY, Lin JQ, Li FJ, Wang QX, Li Q, Jing JW, Wang CL. Certificate transparency in the wild: Exploring the reliability of monitors. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London: ACM, 2019. 2505–2520. [doi: 10.1145/3319535.3345653]
    [107] Hallam-Baker P, Stradling R, Hoffman-Andrews J. DNS certification authority authorization (CAA) resource record. 2019. https://www.rfc-editor.org/rfc/rfc8659.html
    [108] Hallam-Baker P, Stradling R. DNS certification authority authorization (CAA) resource record. 2013. https://www.rfc-editor.org/rfc/rfc6844.html
    [109] Ma Z, Austgen J, Mason J, Durumeric Z, Bailey M. Tracing your roots: Exploring the TLS trust anchor ecosystem. In: Proc. of the 21st ACM Internet Measurement Conf. ACM, 2021. 179–194. [doi: 10.1145/3487552.3487813]
    Related
    Cited by
    您输入的地址无效!
    没有找到您想要的资源,您输入的路径无效!

    Comments
    Comments
    分享到微博
    Submit
Get Citation

张宾,张宇,张伟哲,乔延臣,刘翔,刘鹏辉. PKI技术研究与进展.软件学报,,():1-25

Copy
Share
Article Metrics
  • Abstract:80
  • PDF: 219
  • HTML: 0
  • Cited by: 0
History
  • Received:January 24,2024
  • Revised:August 15,2024
  • Online: February 19,2025
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2033172Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063