Providing public key certificate authorization and policy with DNS

Show full item record

Redirect: RIT Scholars content from RIT Digital Media Library has moved from to RIT Scholar Works, please update your feeds & links!
Title: Providing public key certificate authorization and policy with DNS
Author: Lidestri, Matthew
Abstract: Public Key Infrastructure (PKI) instills trust in certificates commonly used to secure email, web traffic, VPNs, file transfers, and other forms of network communication. Due to a number of successful attacks against certificate authorities, malicious parties have illegitimately acquired trusted certificates for widely used online services, government agencies, and other important organizations. These incidents, and the potential for future attacks of a similar nature, present notable risk to PKI and global security as a whole. The proposed Certificate Policy Framework (CPF) offers a mechanism for organizations to control which certificates are authorized to authenticate their services. This DNS-based protocol allows organizations to publish an access control list for any given hostname, where each entry in the ACL identifies a certificate and indicates whether the certificate should be blocked, warned upon, or permitted. Similarly, any CPF-compatible application can query DNS for CPF records to verify the integrity of the certificate from an authoritative viewpoint. In this work, we review limitations in PKI and certificate-based security and review existing work in this area. We will also discuss CPF in greater detail and demonstrate how it can be used to augment PKI to strengthen this widely adopted technology.
Record URI:
Date: 2012

Files in this item

Files Size Format View Description
MLidestriThesis2-28-2012.pdf 633.2Kb PDF View/Open Thesis
MLidestriSupplement.pdf 424.5Kb PDF View/Open Supplement

The following license files are associated with this item:

This item appears in the following Collection(s)

Show full item record

Search RIT DML

Advanced Search