Abstract: Several recent attacks against certification authorities (CAs) and fraudulently issued certificates have put the security and usefulness of the Internet public-key infrastructure (PKI) at stake. In this article, the author argues that such attacks are likely to occur repeatedly and that respective countermeasures must be designed, implemented, and put in place. In particular, he discusses two problem areas in which countermeasures are needed: certificate revocation and certificate authorization. Both areas are related and can be subsumed under the term "certificate legitimation."' The author introduces the notion of certificate legitimation, discusses some recent proposals, and outlines new areas of research and development.

Abstract: In many information security scenarios, a certificate issued by a certificate authority on behalf of a domain is presented to a client in order to verify the identity of the domain. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult for an individual client to determine. Presented herein are techniques for advising clients of the trustworthiness of respective certificate authorities by evaluating the certificates issued by such certificate authorities for suspicious indicators, such as hashcode collisions with other certificates and public key re-use. A trust level may be identified of respective certificate authorities according to the presence or absence of suspicious indicators in the certificates issued by the certificate authority, and a certificate authority trust set may be distributed to advise clients of the trustworthiness of certificates issued by the respective certificate authorities.

Abstract: The fast growth of e-commerce and online activities places increasing needs for authentication and secure communication to enable information exchange and online transactions. The public key infrastructure (PKI) provides a promising foundation for meeting such demand, in which certificate authorities (CAs) provide digital certificates. In practice, it is critical to understand consumer purchasing and revocation behaviors so that CAs can better manage the digital certificates and its CRL releasing process. To address this problem, we analytically model a CA's pricing and revocation releasing strategies taking into consideration the users' rational decisions. The model provides solutions two main research questions: (1) How should the CA price the digital certificates? The the price of the digital certificate should be determined by the expected losses of the user's IT system, and the number of certificate revocations per period is expected to decrease over time during the lifecycle of the certificate. This result is supported by the empirical data from VeriSign. (2) How should the CA we further propose a dynamic CRL releasing policy that suggests that the optimal releasing intervals within the lifecycle of a certificate should increase over time.

Abstract: A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).Banks are the most common target of phishing attacks, so we implemented an empirical study of certificates for depository institutions insured by the Federal Depository Insurance Corporation (FDIC) and compared them to general purpose, non-banking certificates. Our study of websites of FDIC-insured banks found that the current configuration fails to support website authentication. The most common failure is an absence of certificates, meaning that a false certificate would be the only valid-named certificate for that institution. Certificates with incorrect names, incorrectly structured certificates, and shared certificates all plague online banking. The vast majority of banks, especially smaller banks, apparently lack the expertise, support, or incentive to implement certificates correctly.We document the current state of bank certificates. We compare these with general-purpose certificates (e.g., the top one million websites). We survey the various proposals for the certificate market writ large, including pinning and notaries. We identify how those fit and fail to fit the unique problem of banking certificates. We close with policy and technical recommendations to alter the use of certificates so that these can be a valid basis for consumer trust.

Abstract: The method comprises authenticating a user digital certificate 612 generated by an issuing certification authority and creating a shortcut certificate (700 fig.7) for the digital certificate 612 of the issuing certification authority when the digital certificate 612 of the issuing certification authority is authenticated. The shortcut certificate (700 fig.7) comprises a signed entry of an authentication of the issuing certification authority. The issuing certification authority may belong to a hierarchy of certification authorities 618, 620, 622 and each certification authority in a chain of parent certification authorities is validated to authenticate the digital certificate 612 of the issuing certification authority. The shortcut certificate (700 fig.7) may comprise a cached entry of an identifier of each certification authority in the chain. The method may include accessing a resource of an agent device 602a, e.g. permission to open a point of access, through authentication of the user digital certificate 612 and the shortcut certificate (700 fig.7) is transmitted to other agent devices 602b, 602c, 602d within a class of other agent devices.

Abstract: In many information security scenarios, a certificate issued by a certificate authority may be presented to a client in order to assert a trust level of a certificated item, such as a message or a web page. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult to determine, particularly for an individual client. Presented herein are techniques for advising clients of the reputations of respective certificate authorities by evaluating the certificates issued by such certificate authorities, such as the number and types of domains certified by the certificate; the number and pattern of certificates issued for the domain; and the certification techniques used to issue the certificates. Such evaluation enables a determination of a certificate authority trust level that may be distributed to the clients in a certificate authority trust set.

Abstract: Electronic certification authority (CA) application has problem in compatibility. The validation between some certification authorities is indispensable. In this paper, special qualities of some overlapped authentication models are analyzed based on the operation application. Also, an electronic authentication public service platform has been designed for compatible application of Multi-CA. The platform is both efficient, and convenient.

Abstract: Writing a medical certificate can be a complicated part of medical practice. A doctor is expected to sign a variety of medical certificates that range in purpose from confirming sickness to certifying death. Medical certificates are legal documents based on clear and relevant evidence and should be written promptly, honestly, accurately, and objectively. Medical certificates may have financial implications for the patient or recipient through benefits, employment, or compensation payments, and a failure to complete a certificate appropriately may have a negative impact on the patient, the patient’s family, or the receiving organization. For example, a doctor who certifies a patient to undertake work when he or she is unfit may place the patient or the patient’s colleagues or the organization at risk. Society places a great deal of trust in doctors. This article attempts to propose ethical considerations based on the findings of two guides: the “Guide for writing medical certificates” prepared by the Korean Medical Association and the “Statement on medical certification” prepared by the Medical Council of New Zealand. The authors discuss some suggestions for guidance in medical certification to protect each individual involved and to promote good medical practice. The structured step table and self-check list provided may be of assistance.

Abstract: A string of recent attacks against the global public key infrastructure (PKI) has brought to light weaknesses in the certification authority (CA) system. In response, the CA/Browser Forum, a consortium of certification authorities and browser vendors, published in 2011 a set of requirements applicable to all certificates intended for use on the Web and issued after July 1st, 2012, following the successful adoption of the extended validation guidelines in 2007. We evaluate the actual level of adherence to the CA/Browser Forum guidelines over time, as well as the impact of each violation, by inspecting a large collection of certificates gathered from Web crawls. We further refine our analysis by automatically deriving profile templates that characterize the makeup of certificates per issuer. By integrating these templates with violation statistics, we are able to depict the practices of certification authorities worldwide, and thus to monitor the PKI and proactively detect major violations. Our method also provides new means of assessing the trustworthiness of SSL certificates used on the Web.

Abstract: This paper presents an in-depth analysis of the certificate validation process employed in current web browsers. It discusses the shortcomings especially arising from the inappropriate management of the certificate status. Various improvements proposed so far are presented and analyzed with the aid of a threat model. The results are further enriched by some empirical studies. Finally, the outcomes of the aforementioned analysis are used to sketch an extended website certificate validation process with the aim of allowing for a better protection. Copyright © 2013 John Wiley & Sons, Ltd.