/ Ideas / Consolidating Trust for Client Groups that use TLS to Secure Connections

This is an idea proposed in 2014 as a Cambridge Computer Science Part II project, and has been completed by Johann Beleites. It was supervised by David Sheets and Anil Madhavapeddy as part of my Unikernels project.

Summary

This project aimed to develop a framework that allows administrators to centrally manage trust in CAs and certificates across a large number of clients. The framework should be responsive and changes in trust should not require any software updates or reboots of client devices. Further, no cooperation from CAs or domain owners should be necessary for a security gain. Performance optimisations should be implemented such that it is usable on a daily basis and this project could integrate with other existing attempts at improving the TLS trust model.

Related Reading

Results

A functioning framework dubbed "ConTrust" was implemented, allowing administrators to centrally manage trust for TLS certificates. It can be responsive (depending on the configuration) and does not require software updates or reboots of client devices. Some means of authenticating certificates were introduced –- including a whitelist of trusted CAs. Caches were introduced to improve performance, although more performance optimisations would be possible but were not implemented due to prioritisation of other features.

Related Ideas