1. Formal Modeling and Verification for Domain Validation and ACME 2017 FinancialCryptography FormalVerification
    Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Nadim Kobeissi
    [View PDF on fc17.ifca.ai]
    [Show BibTex Citation]

    @inproceedings{DBLP:conf/fc/BhargavanDK17,
    author = {Karthikeyan Bhargavan and
    Antoine Delignat{-}Lavaud and
    Nadim Kobeissi},
    editor = {Aggelos Kiayias},
    title = {Formal Modeling and Verification for Domain Validation and {ACME}},
    booktitle = {Financial Cryptography and Data Security - 21st International Conference,
    {FC} 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers},
    series = {Lecture Notes in Computer Science},
    volume = {10322},
    pages = {561--578},
    publisher = {Springer},
    year = {2017},
    url = {https://doi.org/10.1007/978-3-319-70972-7\_32},
    doi = {10.1007/978-3-319-70972-7\_32},
    timestamp = {Tue, 14 May 2019 10:00:38 +0200},
    biburl = {https://dblp.org/rec/bib/conf/fc/BhargavanDK17},
    bibsource = {dblp computer science bibliography, https://dblp.org}
    }

Web traffic encryption has shifted from applying only to highly sensitive websites (such as banks) to a majority of all Web requests. Until recently, one of the main limiting factors for enabling HTTPS is the requirement to obtain a valid certificate from a trusted certification authority, a tedious process that typically involves fees and ad-hoc key generation, certificate request and domain validation procedures. To remove this barrier of entry, the Internet Security Research Group created Let’s Encrypt, a new non-profit certificate authority which uses a new protocol called Automatic Certificate Management Environment (ACME) to automate certificate management at all levels (request, validation , issuance, renewal, and revocation) between clients (website operators) and servers (certificate authority nodes). Let’s Encrypt’s success is measured by its issuance of over 12 million free certificates since its launch in April 2016. In this paper, we survey the existing process for issuing domain-validated certificates in major certification authorities to build a security model of domain-validated certificate issuance. We then model the ACME protocol in the applied pi-calculus and verify its stated security goals against our threat model of domain validation. We compare the effective security of different domain validation methods and show that ACME can be secure under a stronger threat model than that of traditional CAs. We also uncover weaknesses in some flows of ACME 1.0 and propose verified improvements that have been adopted in the latest protocol draft submitted to the IETF.

  1.