Consolidating Trust for Client Groups that use TLS to Secure Connections
This is an idea proposed in 2014 as a Cambridge Computer Science Part II project, and has been completed by Johann Beleites. It was supervised by David Sheets and Anil Madhavapeddy.
This project aimed to develop a framework that allows administrators to centrally manage trust in CAs and certificates across a large number of clients. The framework should be responsive and changes in trust should not require any software updates or reboots of client devices. Further, no cooperation from CAs or domain owners should be necessary for a security gain. Performance optimisations should be implemented such that it is usable on a daily basis and this project could integrate with other existing attempts at improving the TLS trust model.
Related Reading
Results
A functioning framework dubbed "ConTrust" was implemented, allowing administrators to centrally manage trust for TLS certificates. It can be responsive (depending on the configuration) and does not require software updates or reboots of client devices. Some means of authenticating certificates were introduced –- including a whitelist of trusted CAs. Caches were introduced to improve performance, although more performance optimisations would be possible but were not implemented due to prioritisation of other features.
ideasRelated News
Not-Quite-So-Broken TLS / Aug 2015
papersUnikernels / Jan 2010
I proposed the concept of "unikernels" -- single-purpose appliances that are compile-time specialised into standalone bootable kernels, and sealed against modification when deployed to a cloud platform. In return they offer significant reduction in image sizes, improved efficiency and security, and reduce operational costs. I also co-founded the MirageOS project which is one of the first complete unikernel frameworks, and also integrated them to create the Docker for Desktop apps that are used by hundreds of millions of users daily. […1496 words]
projects