GEORGIA INSTITUTE OF TECHNOLOGY
Grant Start Date
1 August 2022
Grant End Date
31 December 2023
United States of America
This research addresses the question of how private sector governance mechanisms interact with technology to produce trust and security on the Web. The project provides an independent assessment of Web PKI as a system of security governance. It explains and explores how it works, what actors are involved in it, how it is sustained economically, how resilient it is, and how it relates to national systems of authority. In addition to these descriptive results, the research links changes in market concentration and governance reforms with security metrics.
WHY IS THIS RESEARCH IMPORTANT?
There has always been tension between the global connectivity of the Internet and the jurisdiction of governments, where different rules and standards are enforced in each territory. Private sector governance arrangements provide a mechanism for overcoming that problem by developing transnational mechanisms for cooperative solutions to security and policy problems. As geopolitical tensions rise, however, trust in cyberspace has deteriorated. This is creating pressure for new cybersecurity policy initiatives by national governments and intergovernmental organizations. Many of these state-driven rules threaten the Internet community’s existing cooperative structures and may create fragmentation. In this environment, broader awareness of the existence and workings of private sector governance mechanisms like Web PKI are needed.
The research is highly relevant to current cybersecurity and Internet governance debates. Although rarely recognized as such, PKI is a “critical infrastructure” that billions of people rely on. Hundreds of millions of TLS/SSL certificates guarantee the security and privacy of Internet users. In the past five years, the percentage of TLS traffic has doubled. By better understanding this infrastructure’s economic and governance features, the research identifies threats to resiliency and explores prospective governance reforms. The web PKI market involves competition against a zero-cost service, private sector governance shaped by non-market relations, and technological transformation with increasing transparency and automation. These complex features can be found in other high technology sectors, presenting opportunities for application outside the study of cybersecurity.
The research uses both quantitative and qualitative data sources related to the WebPKI ecosystem. Inputs include reviewing public documents like organizational minutes and ballots, semi-structured interviews with stakeholders and with participants involved in the WebPKI ecosystem, and empirical analysis of technical data produced by the Common CA Database that serves as an important public data source in the certificate space.
MEDIA AND PUBLICATIONS
See below for research publications and other articles related to the research.