Name : Romain Laborde

Institution : IRIT/University Paul Sabatier

 

Romain Laborde has been Maître de Conférence at University Paul Sabatier—IUT `A', Toulouse, France since September 2006. He is a member of the IRIT laboratory. He received the Ph.D. degree in computer science from University Paul Sabatier in 2005. Then, he was Research Associate in the Information Systems Security Group in the Computer Science Department, University of Kent at Canterbury, UK. His research focuses on security management including identity management, trust management, privileges management and network security management.

 

Website: http://www.irit.fr/~Romain.Laborde

 

Publications:

[1] A.S. Wazan, R. Laborde, D.W Chadwick, F. Barrere, A. Benzekri. Which web browsers process SSL certificates in a standardized way? In : 24th IFIP International Information Security Conference, Springer, p. 432-442, 2009

 

[2] A.S. Wazan, R. Laborde, F. Barrère, A. Benzekri. Validating X.509 Certificates Based on Their Quality. In : International Symposium on Trusted Computing, , IEEE Computer Society, p. 2055-2060, 2008.

 

 

Title of Project : Evaluation of the X.509 certificates chain of trust

X509 identity certificates are used to authenticate entities such as persons or computers. When an entity, called relying party, receives an identity certificates from another entity, it has to trust three entities to decide whether to trust the certificate or no:

-         the software that is appointed to validate the certificate in behalf of the relying party,

-         the public key infrastructure that has certified the information inside the certificate is correct,

-         the certificate user to keep its private key “private.”

We are currently working on the first two issues:

1)     We have evaluated how the main web browsers implement the standards. We have tested the handling of the main fields in SSL certificates and found that web browsers do not process them in a homogenous way. An SSL certificate can be accepted by some web browsers whereas a message reporting an error can be delivered to users by other web browsers for the same certificate. This diversity of behavior might cause users to believe that SSL certificates are unreliable or error prone, which might lead them to consider that SSL certificates are useless. We have highlighted these different behaviors and explained the reasons for them which can be either a violation of the standards or ambiguity in the standards themselves.

2)     We are trying to provide users with a quantitative information of the confidence a relying party can have about a certificate. We’ve called this information Quality of Certificate (QoCER). QoCER depends on two parameters which are the Quality of CPS that indicates the global robustness of the procedures announced in the Certificate Policy and its Certification Practice Statement, and the Quality of PKI that represents the evaluation of the PKI commitment to its CP/CPS. The value of QoPKI is calculated based on the recommendation of different actors (audit agency, relying parties, etc). The value of QoCER is balanced by another quantitative information that represents the confidence on the QoPKI value, e.g. how it has been calculated. We have defined a reputation based formal model of trust to calculate these values.