A Distributed Reputation System for Certification Authority Trust Management

In the current Web Public Key Infrastructure (Web PKI), few central instances have the power to make trust decisions. From a system´s perspective, it has the side effect that every Certification Authority (CA) becomes a single point of failure (SPOF). In addition, trust is no individual matter per user, what makes trust decisions hard to revise. Hence, we propose a method to leverage Internet users and thus distribute CA trust decisions. However, the average user is unable to manually decide which incoming TLS connections are trustworthy and which are not. Therefore, we overcome this issue with a distributed reputation system that facilitates sharing trust opinions while preserving user privacy. We assess our methodology using real-world browsing histories. Our results exhibit a significant attack surface reduction with respect to the current Web PKI, and at the same time we only introduce a minimal overhead.