A holistic analysis of web-based public key infrastructure failures: comparing experts' perceptions and real-world incidents. Issue 1 (20th December 2021)
- Record Type:
- Journal Article
- Title:
- A holistic analysis of web-based public key infrastructure failures: comparing experts' perceptions and real-world incidents. Issue 1 (20th December 2021)
- Main Title:
- A holistic analysis of web-based public key infrastructure failures: comparing experts' perceptions and real-world incidents
- Authors:
- Hadan, Hilda
Serrano, Nicolas
Camp, L Jean - Abstract:
- Abstract: Public key infrastructure (PKI) is the foundation of secure and trusted transactions across the Internet. This paper presents an evaluation of web-based PKI incidents in two parts. We began with a qualitative study where we captured security and policy experts' perceptions of PKI in a set of interviews. We interviewed 18 experts in two conferences who include security academics and practitioners. We describe their perceptions of PKI failures. To evaluate whether perceived failures match real documented failures, we conducted a quantitative analysis of real-world PKI incidents on the web since 2001. Our data comprise reports from Bugzilla, root program operators, academic literature, security blogs, and the popular press. We determined the underlying causes of each and reported the results. We identified a gap between experts' perceptions and real-world PKI incidents. We conclude that there are significant sources of failures of PKI that neither the usability nor traditional computer security community is engaging, nor can arguably engage separately. Specifically, we found incidents illustrate systematic weaknesses of organizational practices that create risks for all who rely upon PKI. More positively, our results also point to organizational and configuration choices that could avoid or mitigate some of these risks. Thus, we also identify immediate mitigation strategies (where feasible).
- Is Part Of:
- Journal of cybersecurity. Volume 7:Issue 1(2021)
- Journal:
- Journal of cybersecurity
- Issue:
- Volume 7:Issue 1(2021)
- Issue Display:
- Volume 7, Issue 1 (2021)
- Year:
- 2021
- Volume:
- 7
- Issue:
- 1
- Issue Sort Value:
- 2021-0007-0001-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-12-20
- Subjects:
- public key infrastructure (PKI) -- digital certificates -- certificate authorities -- Bugzilla -- CA noncompliance -- baseline requirements
Computer security -- Periodicals
Computer networks -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://cybersecurity.oxfordjournals.org/ ↗
http://www.oxfordjournals.org/ ↗ - DOI:
- 10.1093/cybsec/tyab025 ↗
- Languages:
- English
- ISSNs:
- 2057-2093
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 20272.xml