Revocations Are Dead, Long Live Revocations

Dave Levin is an assistant professor of computer science at the University of Maryland, where he is also the chair of the CS Undergraduate Honors program

Dave Levin, Assistant Professor of Computer Science, University of Maryland

Abstract:

The importance of the web’s public key infrastructure (PKI) cannot be overstated: it is what allows users to know with whom they are communicating online.  Central to its correct operation is the ability to “revoke” certificates in the wake of a compromised key.  For revocations to work: (1) website administrators must request to have their certificates revoked, (2) browser manufacturers must regularly check for revocations, and (3) above all, no one should share their private keys.

Using Internet-wide measurements, I will show that all of these are violated on a regular basis, largely due to perverse economic incentives.  I will also present a promising path forward: a new system, CRLite, that compactly represents all revocations in only tens of kilobytes per day.  CRLite shows that, at last, it is feasible for every client to download every revocation everyday.

Bio:

Dave Levin is an assistant professor of computer science at the University of Maryland, where he is also the chair of the CS Undergraduate Honors program.  In his research, he empirically measures security on the Internet to understand how security breaks down, and applies economics and cryptography to build new, provably secure systems.  Dave and his colleagues’ work on studying the web’s PKI recently received a USENIX Security Distinguished Paper Award and an IEEE Cybersecurity Award for Innovation.