Human and Organizational Factors in Public Key Certificate Authority Failures

Public Key Infrastructure (PKI) is the foundation of secure and trusted transactions across the Internet. Public key certificates are issued and validated by Certificate Authorities (CAs), which have their trust-of-anchor certificates in Root Program Operators' stores. These CAs provide certificates that attest to the integrity of the ownership of domain names on the web and enable secure communications. Each year hundreds of certificates are by these verified and trusted Certificate Authorities issued in error. In this research, we complied and classified certificate incident reports documented on Bugzilla, a web-based bug tracking system where such instances are reported. We focus on the 210 incident reports from the last year; we compare this pandemic period to trends from previous years. Our data show that the frequency of Certificate Authority non-compliance is a consistence source of vulnerability in the PKI ecosystem. The evaluation of reasons for the misissuance illustrate the role of one-off human failures, systematic interaction flaws leading to repeated incidents, and evidence of perverse incentives leading to misissuance.