Security Vulnerabilities in the Trust-List PKI

摘要

The trust-list public key infrastructure (TLPKI) and the current implementation by the clients (such as Web browsers), the servers (such as Web servers) and the Root Certification Authorities, is one of the most widely deployed type of PKI. Each client is distributed with a preconfigured set of self-signed root certificates (SSRCs) that enable the end-user to use secure services such as secure network connections, secure e-mail and execution of signed software. However, at present, the policies and procedures for the inclusion of SSRCs can be a source of security vulnerabilities. This paper identifies and analyses these security vulnerabilities and in order to tackle them, the Certificate Use Accounting mechanism is proposed.