A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies


Hammurabi is a research project focused on improving certificate validation in the Web PKI.


In the Web PKI, TLS clients (browsers, mobile apps, etc.) verify the identity of a server by validating its X.509 certificate during the TLS handshake. Unfortunately, there is no single, authoritative set of rules that dictate whether a certificate is valid or not; rules are drawn from various RFCs and (for web browsers) the CA/Browser Forum Baseline Requirements. Furthermore, specialized clients like web browsers often have their own additional, bespoke validation rules.

To make matters worse, the high-level validation rules or policies that describe what constitutes a valid certificate are entangled with low-level validation mechanisms such as certificate parsing, verifying cryptographic signatures, and checking revocation.

This entanglement makes it hard to:

With Hammurabi, certificate validation policies are expressed as high-level logic (Prolog) programs. Clients pass candidate certificates to the Hammurabi engine, which performs basic certificate checks (e.g., signature verification) before executing a validation policy over the certificate chain. Hammurabi returns the validation result to the client.

To demonstrate the feasibility of expressing validation policies in Hammurabi, we extracted the certificate validation rules found in both Google Chrome and Mozilla Firefox into Prolog programs. In the paper, we show that our translations produce the same result as the actual browsers for millions of certificates.

Hammurabi not only promotes validation policy analysis, comparison, and reuse, but can also be used to bridge the gap between standards and code: certificate validation standards and bespoke requirements can be codified into executable Hammurabi policies.

BibTeX Citation

  title={{Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies}},
  author={Larisch, James and Aqeel, Waqar and Lum, Michael and Goldschlag, Yaelle and Torshizi, Kasra and Kannan, Leah and Wang, Yujie and Chung, Taejoong and Levin, Dave and Maggs, Bruce M. and Mislove, Alan and Parno, Bryan and Wilson, Christo},
  booktitle={Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},