“Our work produced a couple of significant systematizations. It gave a thorough overview of various incidents that have taken place in certification authorities over the last 20+ years. It also presented various trust models in a unified manner, simplifying their comparison.”
SPoF (Single Point of Failure) was the initial research conducted in 2019-2020. This fault tolerance analysis pointed at the weak links in the eID infrastructure in the Estonian eID ecosystem that could have affected many users. The main weakness identified was the amount of various authentication protocols that are in use in Estonia.
Following this finding, two further researches were carried out. SPoF2.1 studied the authentication tools and services used in Estonia to find out whether it would be possible to harmonise their API and how to avoid man-in-the-middle attacks. SPoF2.2 examined how to reduce the dependence on the validity confirmation service and to ensure the functionality in a situation where the validity confirmation service does not work.
This brings us to SPoF2.3. The project consisted of two parts – analysis and recommendation.
In the first part, we collected and systematised material on crises related to Certificate Authorities, chains of trust, trust lists, and analysed differences of trust models based on their technical and legal aspects. In the second part, we developed a recommendation for a suitable eID trust model for Estonia with all the necessary technical descriptions.
We asked Peeter Laud, our Senior Researcher in this project let us in on the details of the research.
What was the objective of this research?
The project was about analysing and constructing trust models for the distribution of public keys used for authentication and signing. Our society is highly dependent on the functioning of public key infrastructure (PKI) – a system for distributing public keys. Hence, we want its implementation and deployment to be robust. The notion of robustness includes the lack of single points of failure, at least in those parts of the system with higher integrity and availability expectations.
In Estonia, the current deployment of PKI is very much dependent on a single entity. The failure of this entity could mean that our public key certificates can no longer be trusted, we can no longer log into service providers' information systems relying on this PKI, and the digital signatures we have issued may lose their meaning. While this entity has so far executed its duties commendably, its position as a SPoF is worrying. We should add more redundancy to our PKI, but the necessary changes should not break existing systems.
Please describe the most notable findings.
We were looking at improvements that could be implemented without breaking existing systems. Existing systems implement existing standards and follow existing laws, they body of which has been built up over almost thirty years. It is difficult to change laws and standards, especially the latter. The existing standards have painted us into a corner: in order to implement them, we have to introduce SPoF-s with respect to integrity properties, and almost introduce SPoF-s with respect to availability properties. The existing laws appear to be more permissive in capturing various trust models.
Nevertheless, we provide suggestions on how to reduce the effect of failures on the availability of the PKI. We show, how certain redundancy can be fit with the existing standards, while keeping the increase of costs of running the system under control.
Our work also produced a couple of significant systematizations. It gave a thorough overview of various incidents that have taken place in certification authorities over the last 20+ years. It also presented various trust models in a unified manner, simplifying their comparison.
Are the findings being already considered to be put into use in the eID systems?
Not yet. The results of the project were not about single eID systems, but rather about the configuration of the infrastructure.
However, the suggestions that we made during the project should be implemented and deployed. The necessary work will be a project, but perhaps it will be run internally by RIA (Estonian Information System Authority).
What should the next researches be about considering the current findings?
Trust models should be further formalized, compared with each other, extended with models of various kinds of actors.