Automated certificate authorities (CAs) have expanded the reach of public key infrastructure on the web and for software signing. The certificates that these CAs issue attest to proof of control of some digital identity. Some of these automated CAs issue certificates in response to client authentication using OpenID Connect (OIDC, an extension of OAuth 2.0). This places these CAs in a position to impersonate any identity. Mitigations for this risk, like certificate transparency and signature thresholds, have emerged, but these mitigations only detect or raise the difficulty of compromise. Researchers have proposed alternatives to CAs in this setting, but many of these alternatives would require prohibitive changes to deployed authentication protocols. In this work, we propose a cryptographic technique for reducing trust in these automated CAs. When issuing a certificate, the CAs embed a proof of authentication from the subject of the certificate -- but without enabling replay attacks. We explain multiple methods for achieving this with tradeoffs between user privacy, performance, and changes to existing infrastructure. We implement a proof of concept for a method using Guillou-Quisquater signatures that works out-of-the-box with existing OIDC deployments for the open-source Sigstore CA, finding that minimal modifications are required.

翻译：自动化证书颁发机构（CA）扩展了公钥基础设施在Web和软件签名中的应用范围。这些CA颁发的证书用于证明对某些数字身份的控制权。部分自动化CA会通过OpenID Connect（OIDC，OAuth 2.0的扩展协议）对客户端进行认证后颁发证书。这使得这些CA能够冒充任何身份。针对此风险的缓解措施（如证书透明度和签名阈值）虽然已被提出，但仅能检测或提高攻破难度。研究人员已提出替代CA的方案，但多数方案需要对现有认证协议进行重大修改。本研究提出一种密码学技术，用于降低对这些自动化CA的信任需求。在颁发证书时，CA会嵌入证书主体的认证证明——同时避免重放攻击。我们阐述了实现该目标的多种方法，并在用户隐私、性能和现有基础设施改动之间做出权衡。针对开源Sigstore CA的现有OIDC部署，我们基于Guillou-Quisquater签名实现了一个概念验证方案，发现仅需极少量修改即可正常工作。