TPRC47: Research Conference on Communications, Information and... has ended
Back To Schedule
Saturday, September 21 • 5:06pm - 5:40pm
A Complete Study of P.K.I. (PKI’s Known Incidents)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Download paper
In this work, we report on a comprehensive analysis of PKI resulting from Certificate Authorities’ (CAs) behavior using over 1300 instances. We found several cases where CAs designed business models that favored the issuance of digital certificates over the guidelines of the CA Forum, root management programs, and other PKI requirements. Examining PKI from the perspective of business practices, we identify a taxonomy of failures and identify systemic vulnerabilities in the governance and practices in PKI. Notorious cases include the “backdating” of digital certificates, the issuance of these for MITM attempts, the lack of verification of a requester’s identity, and the unscrupulous issuance of rogue certificates. We performed a detailed study of 379 of these 1300 incidents. Using this sample, we developed a taxonomy of the different types of incidents and their causes. For each incident, we determined if the incident was disclosed by the problematic CA. We also noted the Root CA and the year of the incident. We identify the failures in terms of business practices, geography, and outcomes from CAs. We analyzed the role of Root Program Owners (RPOs) and differentiated their policies. We identified serial and chronic offenders in the PKI trusted root programs. Some of these were distrusted by RPOs, while others remain being trusted despite failures. We also identified cases where the concentration of power of RPOs was arguably a contributing factor in the incident. We identify these cases where there is a risk of concentration of power and the resulting conflict of interests. Our research is the first comprehensive academic study addressing all verified reported incidents. We approach this not from a machine learning or statistical perspective but, rather, we identify each reported public incident with a focus on identifying patterns of individual lapses. Here we also have a specific focus on the role of CAs and RPOs. Building on this study, we identify the issues in incentive structures that are contributors to the problems.


Petrus H. Potgieter

University of South Africa


Jean Camp

Indiana University Bloomington

H Hadan

Indiana University Bloomington

Nicolas Serrano

Indiana University Bloomington

Saturday September 21, 2019 5:06pm - 5:40pm PDT
Y403 WCL, 4300 Nebraska Ave, Washington DC