Laurent Chuat (ETH Zurich), Cyrill Krähenbühl (ETH Zürich), Prateek Mittal (Princeton University), Adrian Perrig (ETH Zurich)

We present F-PKI, an enhancement to the HTTPS public-key infrastructure (or web PKI) that gives trust flexibility to both clients and domain owners, and enables certification authorities (CAs) to enforce stronger security measures. In today's web PKI, all CAs are equally trusted, and security is defined by the weakest link. We address this problem by introducing trust flexibility in two dimensions: with F-PKI, each domain owner can define a domain policy (specifying, for example, which CAs are authorized to issue certificates for their domain name) and each client can set or choose a validation policy based on trust levels. F-PKI thus supports a property that is sorely needed in today's Internet: trust heterogeneity. Different parties can express different trust preferences while still being able to verify all certificates. In contrast, today's web PKI only allows clients to fully distrust suspicious/misbehaving CAs, which is likely to cause collateral damage in the form of legitimate certificates being rejected. Our contribution is to present a system that is backward compatible, provides sensible security properties to both clients and domain owners, ensures the verifiability of all certificates, and prevents downgrade attacks. Furthermore, F-PKI provides a ground for innovation, as it gives CAs an incentive to deploy new security measures to attract more customers, without having these measures undercut by vulnerable CAs.

View More Papers

Uncovering Cross-Context Inconsistent Access Control Enforcement in Android

Hao Zhou (The Hong Kong Polytechnic University), Haoyu Wang (Beijing University of Posts and Telecommunications), Xiapu Luo (The Hong Kong Polytechnic University), Ting Chen (University of Electronic Science and Technology of China), Yajin Zhou (Zhejiang University), Ting Wang (Pennsylvania State University)

Read More

Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures

Ghada Dessouky (Technical University of Darmstadt), Emmanuel Stapf (Technical University of Darmstadt), Pouya Mahmoody (Technical University of Darmstadt), Alexander Gruler (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)

Read More