X-FTPC: A Fine-Grained Trust Propagation Control Scheme for Cross-Certification Utilizing Certificate Transparency

Cross-certification plays a fundamental role in facilitating the interconnection between different root stores in public key infrastructure (PKI). However, the existing trust management schemes (e.g.,certificate extension) cannot implement fine-grained control over the trust propagation caused by cross-signing. This leads to the fact that although cross-certification expands the trust scope of certificate authorities (CAs), it also brings new security risks to the existing PKI system: (a) makes the certification path in PKI more complicated and lacks effective control, resulting in the arbitrary propagation of trust, and (b) more seriously, may even cause a revoked Cross-signed CA to continue to issue certificates that still have valid trust paths, due to the presence of cross-certificates that have not been fully revoked. Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates and improve the accountability of CAs, by recording all certificates in publicly-visible logs. In this paper, we proposeX-FTPC, a fine-grained trust propagation control enhancement scheme for cross-certification based on the idea of transparency, combined with the publicly-accessible, auditable, and append-only features of the CT log.X-FTPCintroduces a new certificate extension to force the cross-signed CA to submit an end-entity certificate to the specified log for pre-verification before it can be finally accepted. Fine-grained control of cross-certificate trust propagation is achieved through real-time monitoring of the certificate issuing behavior of cross-signed CAs. Moreover, it is fully compatible with CT frameworks that are widely deployed on the Internet.