增强ACME协议以自动管理所有X.509 web证书（扩展版）

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-02-27 DOI:10.1016/j.comcom.2025.108106

David A. Cordova Morales , Ahmad Samer Wazan , David W. Chadwick , Romain Laborde , April Rains Reyes Maramara

{"title":"增强ACME协议以自动管理所有X.509 web证书（扩展版）","authors":"David A. Cordova Morales , Ahmad Samer Wazan , David W. Chadwick , Romain Laborde , April Rains Reyes Maramara","doi":"10.1016/j.comcom.2025.108106","DOIUrl":null,"url":null,"abstract":"<div><div>X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs returned in a Verifiable Presentation (VP) that could facilitate the issuance of high-profile certificates such as EV certificates. We also propose a generic communication workflow to request and present VPs, which interact with our ACME enhancement. In this regard, we present proof of our approach by using the OpenID for Verifiable Presentation protocol (OID4VP) to request and present VPs. To assess the feasibility of our solution, we conduct a complexity analysis, evaluating both computational and communication overhead compared to the standard ACME protocol. Finally, we present an implementation of our solution as proof-of-concept.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"236 ","pages":"Article 108106"},"PeriodicalIF":4.5000,"publicationDate":"2025-02-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Enhancing the ACME protocol to automate the management of all X.509 web certificates (Extended version)\",\"authors\":\"David A. Cordova Morales , Ahmad Samer Wazan , David W. Chadwick , Romain Laborde , April Rains Reyes Maramara\",\"doi\":\"10.1016/j.comcom.2025.108106\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs returned in a Verifiable Presentation (VP) that could facilitate the issuance of high-profile certificates such as EV certificates. We also propose a generic communication workflow to request and present VPs, which interact with our ACME enhancement. In this regard, we present proof of our approach by using the OpenID for Verifiable Presentation protocol (OID4VP) to request and present VPs. To assess the feasibility of our solution, we conduct a complexity analysis, evaluating both computational and communication overhead compared to the standard ACME protocol. Finally, we present an implementation of our solution as proof-of-concept.</div></div>\",\"PeriodicalId\":55224,\"journal\":{\"name\":\"Computer Communications\",\"volume\":\"236 \",\"pages\":\"Article 108106\"},\"PeriodicalIF\":4.5000,\"publicationDate\":\"2025-02-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Communications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0140366425000635\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425000635","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

X.509公钥基础设施（pki）广泛用于管理X.509公钥证书（pkc），以允许在Internet上进行安全通信和身份验证。pkc由受信任的第三方证书颁发机构（CA）颁发，CA负责验证证书请求者的信息。web PKI的最新发展表明，域验证（DV）证书的大量增加，但扩展验证（EV）证书的减少，表明web服务背后实体的身份验证很差。ACME协议通过自动化Web证书的管理，简化了Web证书的部署。但是，它仅限于DV证书。本文提出了对ACME协议的增强，通过使用W3C可验证凭据（VCs）来断言请求者的声明，从而实现所有类型的Web X.509 pkc的自动化。我们认为，任何CA颁发PKC的要求都可以表示为可验证演示（VP）中返回的一组vc，这可以促进诸如EV证书之类的高知名度证书的颁发。我们还提出了一个通用的通信工作流来请求和呈现副总裁，它与我们的ACME增强交互。在这方面，我们通过使用OpenID可验证呈现协议（OID4VP）来请求和呈现vp来证明我们的方法。为了评估我们的解决方案的可行性，我们进行了复杂性分析，与标准ACME协议相比，评估了计算和通信开销。最后，我们给出了我们的解决方案的实现作为概念验证。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Enhancing the ACME protocol to automate the management of all X.509 web certificates (Extended version)

X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs returned in a Verifiable Presentation (VP) that could facilitate the issuance of high-profile certificates such as EV certificates. We also propose a generic communication workflow to request and present VPs, which interact with our ACME enhancement. In this regard, we present proof of our approach by using the OpenID for Verifiable Presentation protocol (OID4VP) to request and present VPs. To assess the feasibility of our solution, we conduct a complexity analysis, evaluating both computational and communication overhead compared to the standard ACME protocol. Finally, we present an implementation of our solution as proof-of-concept.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.