TPValCert: Privacy-Preserving Trusted Proxy for Public Key Certificate Validation

Public key X. 509 certificates play a powerful role in promoting effective electronic identification, but some significant practical issues still affect their scalability. Every time a public key certificate is used, it must be validated by the system or application relying on it for security services, generically called also relying party. The validation involves several processing steps and checks, and it has been measured that many applications (still) perform it incompletely. Furthermore, privacy issues may occur when validating certificates, for example a website visited by a user could be revealed to external parties. We propose TPValCert, an architecture tailoring a trusted proxy to provide privacy-preserving certificate validation service to the relying parties. By exploiting TPValCert, a desktop, IoT, or mobile system that needs to validate a public-key certificate may execute a transaction with a trusted proxy, which performs validation by considering certificate policy parameters, privacy, and validation options received from the client and returns the validation status. Besides reducing complexity on the client, exploiting such trusted validation parties may also bring privacy benefits. To communicate with the clients, we consider the SCVP (Server-based Certificate Validation Protocol) or DVCS (Data Validation and Certification Server) protocols, even though, depending on the context, lighter formats could be considered. Our implementation efforts emphasize the possibility of pursuing a tradeoff between timeliness, privacy, and computational resource usage, via dynamic selection of several configurable options.