Enhancing the ACME protocol to automate the management of all X.509 web certificates (Extended version)

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-02-27 DOI:10.1016/j.comcom.2025.108106

David A. Cordova Morales , Ahmad Samer Wazan , David W. Chadwick , Romain Laborde , April Rains Reyes Maramara

{"title":"Enhancing the ACME protocol to automate the management of all X.509 web certificates (Extended version)","authors":"David A. Cordova Morales , Ahmad Samer Wazan , David W. Chadwick , Romain Laborde , April Rains Reyes Maramara","doi":"10.1016/j.comcom.2025.108106","DOIUrl":null,"url":null,"abstract":"<div><div>X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs returned in a Verifiable Presentation (VP) that could facilitate the issuance of high-profile certificates such as EV certificates. We also propose a generic communication workflow to request and present VPs, which interact with our ACME enhancement. In this regard, we present proof of our approach by using the OpenID for Verifiable Presentation protocol (OID4VP) to request and present VPs. To assess the feasibility of our solution, we conduct a complexity analysis, evaluating both computational and communication overhead compared to the standard ACME protocol. Finally, we present an implementation of our solution as proof-of-concept.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"236 ","pages":"Article 108106"},"PeriodicalIF":4.5000,"publicationDate":"2025-02-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425000635","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs returned in a Verifiable Presentation (VP) that could facilitate the issuance of high-profile certificates such as EV certificates. We also propose a generic communication workflow to request and present VPs, which interact with our ACME enhancement. In this regard, we present proof of our approach by using the OpenID for Verifiable Presentation protocol (OID4VP) to request and present VPs. To assess the feasibility of our solution, we conduct a complexity analysis, evaluating both computational and communication overhead compared to the standard ACME protocol. Finally, we present an implementation of our solution as proof-of-concept.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.