usenix conference policies
VeriSign CZAG: Privacy Leak in X.509 Certificates
We first analyze a concrete example of embedding sensitive information in X.509 certificates: VeriSign's CZAG extension. Second, we consider the general case of a sharing certified information with a mutable subset of relying parties. The example nicely illustrates several well-known technical, social, and economic issues through the effective publication of users' country, zip code, date of birth, and gender in as many as three million certificates over a five year period ending in 2002. The general case continues to arise in many new PKI deployments, where system designers are pressured to include potentially sensitive information in end entity certificates. Ultimately, failure to carefully consider the risks when developing a certificate profile may allow sensitive information to leak outside the intended scope.
author = {Scott G. Renfro},
title = {{VeriSign} {CZAG}: Privacy Leak in X.509 Certificates},
booktitle = {11th USENIX Security Symposium (USENIX Security 02)},
year = {2002},
address = {San Francisco, CA},
url = {https://www.usenix.org/conference/11th-usenix-security-symposium/verisign-czag-privacy-leak-x509-certificates},
publisher = {USENIX Association},
month = aug
}
connect with us