Laurent Chuat (ETH Zurich), Cyrill Krähenbühl (ETH Zürich), Prateek Mittal (Princeton University), Adrian Perrig (ETH Zurich)

We present F-PKI, an enhancement to the HTTPS public-key infrastructure (or web PKI) that gives trust flexibility to both clients and domain owners, and enables certification authorities (CAs) to enforce stronger security measures. In today's web PKI, all CAs are equally trusted, and security is defined by the weakest link. We address this problem by introducing trust flexibility in two dimensions: with F-PKI, each domain owner can define a domain policy (specifying, for example, which CAs are authorized to issue certificates for their domain name) and each client can set or choose a validation policy based on trust levels. F-PKI thus supports a property that is sorely needed in today's Internet: trust heterogeneity. Different parties can express different trust preferences while still being able to verify all certificates. In contrast, today's web PKI only allows clients to fully distrust suspicious/misbehaving CAs, which is likely to cause collateral damage in the form of legitimate certificates being rejected. Our contribution is to present a system that is backward compatible, provides sensible security properties to both clients and domain owners, ensures the verifiability of all certificates, and prevents downgrade attacks. Furthermore, F-PKI provides a ground for innovation, as it gives CAs an incentive to deploy new security measures to attract more customers, without having these measures undercut by vulnerable CAs.

View More Papers

Tetrad: Actively Secure 4PC for Secure Training and Inference

Nishat Koti (IISc Bangalore), Arpita Patra (IISc Bangalore), Rahul Rachuri (Aarhus University, Denmark), Ajith Suresh (IISc, Bangalore)

Read More

D-Box: DMA-enabled Compartmentalization for Embedded Applications

Alejandro Mera (Northeastern University), Yi Hui Chen (Northeastern University), Ruimin Sun (Northeastern University), Engin Kirda (Northeastern University), Long Lu (Northeastern University)

Read More

Log4shell: Redefining the Web Attack Surface

Douglas Everson (Clemson University), Long Cheng (Clemson University), and Zhenkai Zhang (Clemson University)

Read More

Interpretable Federated Transformer Log Learning for Cloud Threat Forensics

Gonzalo De La Torre Parra (University of the Incarnate Word, TX, USA), Luis Selvera (Secure AI and Autonomy Lab, The University of Texas at San Antonio, TX, USA), Joseph Khoury (The Cyber Center For Security and Analytics, University of Texas at San Antonio, TX, USA), Hector Irizarry (Raytheon, USA), Elias Bou-Harb (The Cyber Center For…

Read More