Login | Register

Rethinking Certificate Authorities: Understanding and decentralizing domain validation


Rethinking Certificate Authorities: Understanding and decentralizing domain validation

Moosavi, Seyedehmahsa (2018) Rethinking Certificate Authorities: Understanding and decentralizing domain validation. Masters thesis, Concordia University.

[thumbnail of Moosavi_MASc_S2018.pdf]
Text (application/pdf)
Moosavi_MASc_S2018.pdf - Accepted Version
Available under License Spectrum Terms of Access.


HTTPS (HTTP over TLS) protocol provides message integrity, confidentiality,
and server authentication. Server authentication relies on the client’s ability to obtain
a correct public key which is bound to the server. To provide this, the Public
Key Infrastructure (PKI) uses a system of trusted third parties (TTPs) called the
certificate authorities (CAs). CAs are the companies who receive certificate requests
for domain names, they then use validation techniques to verify the ownership of
those domains and once verified, they issue the digital certificates. These digital
certificates are the electronic documents which simply bind domain names to the
cryptographic keys and can be further used to secure communication channels over
the web. However, PKI’s several drawbacks enabled the malicious parties to break
the entire CA model and issue themselves fraudulent certificates for domain names.
There has been little quantitative analysis of the certificate authorities (CAs)
and how they establish domain names validation, so we first perform a thorough
empirical study on the CA ecosystem and evaluate the security issues with the domain
verification techniques. We find out that a central problem with the certificate model
is that CAs resort to indirection to issue certificates because they are not directly
authoritative over who owns what domain. Therefore, we design and implement a new and useful paradigm for thinking about who is actually authoritative over PKI
information in the web certificate model. We then consider what smart contracts
could add to the web certificate model, if we move beyond using a blockchain as
passive, immutable (subject to consensus) store of data. To illustrate the potential,
we develop and experiment with an Ethereum-based web certificate model we call
Ghazal∗, discuss different design decisions, and analyze deployment costs.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Moosavi, Seyedehmahsa
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information and Systems Engineering
Date:2 April 2018
Thesis Supervisor(s):Clark, Jeremy
Keywords:Certificate Authorities, CAs, digital certificate, Ethereum, Blockchain, smart contract, PKI, naming system, public key, transparency, authoritative, indirection, Ghazal
ID Code:983671
Deposited On:11 Jun 2018 03:06
Last Modified:11 Jun 2018 03:06
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top