month = 07,
day = 17,
}
+
+@InProceedings{https13,
+ author = {Zakir Durumeric and James Kasten and Michael Bailey and J. Alex Halderman},
+ title = {Analysis of the {HTTPS} Certificate Ecosystem},
+ booktitle = {Proceedings of the 13th Internet Measurement Conference},
+ month = oct,
+ year = {2013},
+ url = {https://jhalderm.com/pub/papers/https-imc13.pdf},
+}
\section{Public Key Infrastructures}
\label{section:PKIs}
-Public-Key Infrastructures aim to provide a way to simplify the verification of
-a certificate's trustworthiness. For this, certificate authorities (CAs) are
-used to create a signature chain from the root CA down to the server (or client).
-Accepting a CA as a generally-trusted mediator solves the trust-scaling problem
-at the cost of introducing an actor that magically is more trustworthy.
-
-The first part of this section addresses how to obtain a certificate. The
-second part offers recommendations on how to improve the security of your
-PKI.
+Public-Key Infrastructures try to solve the problem of verifying
+whether a public key belongs to a given entity, so as to prevent Man
+In The Middle attacks.
+
+There are two approaches to achieve that: {\it Certificate Authorities}
+and the {\it Web of Trust}.
+
+Certificate Authorities (CAs) sign end-entities' certificates, thereby
+associating some kind of identity (e.g. a domain name or an email
+address) with a public key. CAs are used with TLS and S/MIME
+certificates, and the CA system has a big list of possible and real
+problems which are summarized in \cite{https13}.
+
+The Web of Trust is a decentralized system where people sign each
+others keys, so that there is a high chance that there is a ``trust
+path'' from one key to another. This is used with PGP keys, and while
+it avoids most of the problems of the CA system, it is more
+cumbersome.
+
+As alternatives to these public systems, there are two more choices:
+running a private CA, and manually trusting keys (as it is used with
+SSH keys or manually trusted keys in web browsers).
+
+The first part of this section addresses how to obtain a certificate
+in the CA system. The second part offers recommendations on how to
+improve the security of your PKI.
\subsection{Certificate Authorities}
\label{sec:cas}