[x500standard] Re: [T17Q11] The SSL Landscape - A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements

• From: "Euchner, Martin" <martin.euchner@xxxxxxx>
• To: Erik Andersen <era@xxxxxxx>, "'SG17-Q11'" <t09sg17q11@xxxxxxxxxxxxx>, Directory list <x500standard@xxxxxxxxxxxxx>, "Euchner, Martin" <martin.euchner@xxxxxxx>
• Date: Mon, 10 Oct 2011 10:19:54 +0000

Eric,

Yes, this is also my understanding that there many implementation and 
deployment problems of PKI in practice and probably not all PKI-based 
products/services are making use of the latest PKI standards yet; I have not 
seen any hints that PKI is any conceptually flawed.

Martin.

From: Erik Andersen [mailto:era@xxxxxxx]
Sent: Monday, October 10, 2011 11:39 AM
To: Euchner, Martin; 'SG17-Q11'; Directory list
Subject: SV: [T17Q11] The SSL Landscape - A Thorough Analysis of the X.509 PKI 
Using Active and Passive Measurements

Hi Martin,

Thanks a lot for providing his kind of information. I have scanned through the 
document. It appears that PKI is not the issue, but rather how it is 
implemented, which may emphasise the requirement for a concise and consistent 
X.509. However, this has proven to be a major task requiring quite extensive 
resources. It would also be useful with some tutorial material based on 
experiences as in referenced document.

Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik

Fra: Euchner, Martin 
[mailto:martin.euchner@xxxxxxx]<mailto:[mailto:martin.euchner@xxxxxxx]>
Sendt: 4. oktober 2011 18:40
Til: SG17-Q11; Euchner, Martin
Emne: [T17Q11] The SSL Landscape - A Thorough Analysis of the X.509 PKI Using 
Active and Passive Measurements

FYI: The recent serious exploitable vulnerability of SSL/TLS (ref. BEAST 
attack) and other CA hacks has put PKI and its deployment challenges into the 
spotlight of security debates.

http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf
The SSL Landscape - A Thorough Analysis of the X.509
PKI Using Active and Passive Measurements
Ralph Holz, Lothar Braun, Nils Kammenhuber, Georg Carle
Technische Universität München
Faculty of Informatics
Chair for Network Architectures and Services

ABSTRACT
The SSL and TLS infrastructure used in important protocols like
HTTPs and IMAPs is built on an X.509 public key infrastructure
(PKI). X.509 certificates are thus used to authenticate services like
online banking, shopping, e-mail, etc. However, it always has been
felt that the certification processes of this PKI may not be conducted
with enough rigor, resulting in a deployment where many
certificates do not meet the requirements of a secure PKI.
This paper presents a comprehensive analysis of X.509 certificates
in the wild. To shed more light on the state of the deployed
and actually used X.509 PKI, we obtained and evaluated data from
many different sources. We conducted HTTPs scans of a large
number of popular HTTPs servers over a 1.5-year time span, including
scans from nine locations distributed over the globe. To
compare certification properties of highly ranked hosts with the
global picture, we included a third-party scan of the entire IPv4
space in our analyses. Furthermore, we monitored live SSL/TLS
traffic on a 10Gbps uplink of a large research network. This allows
us to compare the properties of the deployed PKI with the part of
the PKI that is being actively accessed by users.
Our analyses reveal that the quality of certification lacks in stringency,
due to a number of reasons among which invalid certification
chains and certificate subjects give the most cause for concern.
Similar concerns can be raised for other properties of certification
chains and also for many self-signed certificates used in the deployed
X.509 PKI. Our findings confirm what has long been believed
- namely that the X.509 PKI that we use so often in our
everyday's lives is in a sorry state.

With kind regards

Martin Euchner.

Advisor of Study Group 17
Telecommunication Standardization Bureau (TSB)
International Telecommunication Union (ITU)
e-mail : Martin.Euchner@xxxxxxx<mailto:Martin.Euchner@xxxxxxx>
Phone : +41 22 730 5866
Mobile: +41 79 592 4688
URL : http://www.itu.int/ITU-T/studygroups/com17
Office No : M.415
[cid:[email protected]]
Place des Nations
CH-1211 Geneva 20
Switzerland

• References:
  • [x500standard] SV: [T17Q11] The SSL Landscape - A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements
    • From: Erik Andersen

Other related posts:

• » [x500standard] Re: [T17Q11] The SSL Landscape - A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements - Euchner, Martin

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription