A compliance-based ranking of certificate authorities using probabilistic approaches

Abstract

The security of the global Certification Authority (CA) system has recently been compromised as a result of attacks on the Public Key Infrastructure (PKI). Although the CA/Browser (CA/B) Forum publishes compliance requirements for CAs, there are no guarantees that even a commercially successful CA is complying with these recommendations. In this paper, we propose the first systematic CA ranking mechanism that ranks CAs in terms of their adherence to the CA/B Forum and X.509 certificate standards. Unfortunately, there is no consolidated and widely accepted parameter to rank the CAs so we have proposed formula-based rating models and introduced different ranking techniques like Direct, Bayesian, and MarkovChain Ranking. These rankings are applied to a comprehensive dataset of X.509 trust chains gathered during the time period of 2020 to 2023. Our proposed ranking scheme can serve as a criterion for both consumers and enterprises for selecting and prioritizing CAs based on performance as well as adherence to the certificate standards.