The Potential of an Individualized Set of Trusted CAs: Defending Against CA Failures in the Web PKI
The security of most Internet applications relies on underlying Public Key Infrastructures (PKIs) and thus on an ecosystem of Certification Authorities (CAs). The pool of PKIs responsible for the issuance and the maintenance of SSL certificates, called the Web PKI, have grown extremely large and complex. Herein, each CA is a single point of failure, leading to an attack surface, the size of which is hardly assessable. This paper approaches the issue if and how the attack surface can be reduced in order to minimize the risk of relying on a malicious certificate.