A Call to Reconsider Certification Authority Authorization (CAA)

• URL: http://arxiv.org/abs/2411.07702v1
• Date: Tue, 12 Nov 2024 10:35:59 GMT
• Title: A Call to Reconsider Certification Authority Authorization (CAA)
• Authors: Pouyan Fotouhi Tehrani, Raphael Hiesgen, Thomas C. Schmidt, Matthias Wählisch,
• Abstract summary: We show how shortcomings in CAA concepts and operational aspects undermine its effectiveness in preventing certificate misissuance. Our discussion reveals pitfalls and highlights best practices when designing security protocols based on DNS.
• Score: 1.3124513975412255
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Certification Authority Authentication (CAA) is a safeguard against illegitimate certificate issuance. We show how shortcomings in CAA concepts and operational aspects undermine its effectiveness in preventing certificate misissuance. Our discussion reveals pitfalls and highlights best practices when designing security protocols based on DNS.

Related papers

• Practical Application and Limitations of AI Certification Catalogues in the Light of the AI Act [0.1433758865948252]
  This work focuses on the practical application and limitations of existing certification catalogues in the light of the AI Act. We use the AI Assessment Catalogue as a comprehensive tool to systematically assess an AI model's compliance with certification standards. We observe the limitations of an AI system that has no active development team anymore and highlight the importance of complete system documentation.
  arXiv  Detail & Related papers  (2025-01-20T15:54:57Z)
• Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC) ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic. We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study [1.2233362977312945]
  Misuse or misissuance of certificates threaten the Web PKI security model. We study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use.
  arXiv  Detail & Related papers  (2024-07-02T14:20:31Z)
• Formally Verifying Deep Reinforcement Learning Controllers with Lyapunov Barrier Certificates [2.0611129932396164]
  We present a novel method for training and verifying NLB-based certificates for discrete-time systems. Specifically, we introduce a technique for certificate composition, which simplifies the verification of highly-complex systems. We demonstrate the merits of our approach with a case study on providing safety and liveness guarantees for a DRL-controlled spacecraft.
  arXiv  Detail & Related papers  (2024-05-22T23:06:34Z)
• CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models [6.129515045488372]
  Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. This paper proposes a novel certified defense technique called CrossCert.
  arXiv  Detail & Related papers  (2024-05-13T11:54:03Z)
• A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
  The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure. This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus. We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
  arXiv  Detail & Related papers  (2024-01-19T14:52:04Z)
• PointCert: Point Cloud Classification with Deterministic Certified Robustness Guarantees [63.85677512968049]
  Point cloud classification is an essential component in many security-critical applications such as autonomous driving and augmented reality. Existing certified defenses against adversarial point clouds suffer from a key limitation: their certified robustness guarantees are probabilistic. We propose a general framework, namely PointCert, that can transform an arbitrary point cloud classifier to be certifiably robust against adversarial point clouds.
  arXiv  Detail & Related papers  (2023-03-03T14:32:48Z)
• Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples [30.42301446202426]
  Our new emphCertification Aware Attack exploits certifications to produce computationally efficient norm-minimising adversarial examples. While these attacks can be used to assess the tightness of certification bounds, they also highlight that releasing certifications can paradoxically reduce security.
  arXiv  Detail & Related papers  (2023-02-09T00:10:05Z)
• COPA: Certifying Robust Policies for Offline Reinforcement Learning against Poisoning Attacks [49.15885037760725]
  We focus on certifying the robustness of offline reinforcement learning (RL) in the presence of poisoning attacks. We propose the first certification framework, COPA, to certify the number of poisoning trajectories that can be tolerated. We prove that some of the proposed certification methods are theoretically tight and some are NP-Complete problems.
  arXiv  Detail & Related papers  (2022-03-16T05:02:47Z)
• Postcertificates for Revocation Transparency [3.4269133917069263]
  We propose a new revocation transparency protocol that introduces postcertificates and utilizes the existing Certificate Transparency (CT) logs. The protocol is practical, has a low deployment cost, provides an immutable history of revocations, enables delegation, and helps to detect revocation-related misbehavior. We evaluate the protocol, measure log and monitor performance, and conclude that it is possible to provide revocation transparency using existing CT logs.
  arXiv  Detail & Related papers  (2022-03-03T18:43:09Z)
• Fast Training of Provably Robust Neural Networks by SingleProp [71.19423596238568]
  We develop a new regularizer that is both more efficient than existing certified defenses. We demonstrate improvements in training speed and comparable certified accuracy compared to state-of-the-art certified defenses.
  arXiv  Detail & Related papers  (2021-02-01T22:12:51Z)
• Breaking certified defenses: Semantic adversarial examples with spoofed robustness certificates [57.52763961195292]
  We present a new attack that exploits not only the labelling function of a classifier, but also the certificate generator. The proposed method applies large perturbations that place images far from a class boundary while maintaining the imperceptibility property of adversarial examples.
  arXiv  Detail & Related papers  (2020-03-19T17:59:44Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.