slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Everything in PKI but the Kitchen Sink (in 30 minutes or less) PowerPoint Presentation
Download Presentation
Everything in PKI but the Kitchen Sink (in 30 minutes or less)

Loading in 2 Seconds...

play fullscreen
1 / 12

Everything in PKI but the Kitchen Sink (in 30 minutes or less) - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

Everything in PKI but the Kitchen Sink (in 30 minutes or less). Jeremy Rowley. Common Incorrect Assumptions. The new gTLDs will break the internet! Certificate authorities (CAs) are completely unregulated. CAs haven’t changed since the 90s. Browsers don’t even check revocation anymore.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Everything in PKI but the Kitchen Sink (in 30 minutes or less)' - alton


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Everything in PKI

but the Kitchen Sink

(in 30 minutes or less)

Jeremy Rowley

slide2

Common Incorrect Assumptions

  • The new gTLDs will break the internet!
  • Certificate authorities (CAs) are completely unregulated.
  • CAs haven’t changed since the 90s.
  • Browsers don’t even check revocation anymore.
  • All certificates are the same so the CA doesn’t matter.
  • SSL is no longer secure!
slide3

CAs and RAs

  • CAs generate “roots” and issue certificates
    • Public v. private CAs
    • Audit Criteria
    • Browser Requirements
    • Operations defined by CPS
    • About 65 public CA entities
  • RAs verify identities
    • Multi-factor authentication
    • Audit Criteria
    • Operations defined by standards
  • Pending Regulations/Standards
    • Qualified SSL Certificates
    • ISO update
    • NIST CP
slide4

Validation Standards

Low standard:

SSAC 085: The SSAC recommends that the ICANN community should seek to identify validation techniques that can be automated and to develop policies that incent the development and deployment of those techniques. The use of automated techniques may necessitate an initial investment but the long-term improvement in the quality and accuracy of registration data will be substantial.

Established standards:

CA/Browser Forum

EV/OV/DV

Used by Browsers/Public CAs

NIST

LOA1-LOA4

Used by government and healthcare

Kantara

LOA1-LOA4

International Standards

FBCA

Rudimentary, Basic, Medium, Medium Hardware, High

Used in government, aerospace, and healthcare

slide6

Transactional Security

  • Major industry improvements since 2006
    • Higher security standards
    • Better identity vetting process
  • Minimum security requirements for trust
    • 2048
    • Move to SHA2
    • No compromised cipher suites/hash functions
    • Security standards
  • Non-trusted certificate causes browser warnings
    • Chained to trusted root
    • Valid and unexpired
  • Issues
    • Cookies
    • Publishing revocation information
    • Outdated domain information
slide7

Revocation Information

  • All major browsers perform some level of certificate revocation checking
    • OCSP
    • CRL
    • CRL Sets
    • OCSP Stapling
  • All SSL public CAs provide revocation information via OCSP
  • Cache times vary by browser
    • Longest is 7 days
  • OCSP stapling provides OCSP response with the certificate
    • Eliminates communication with CA
    • Current server distributions support stapling
slide8

Internal Names

  • Internal Server Name
    • .example, .corp, .mail
    • ~20,000 certificates
    • Common/recommended practice until 2011
    • Used by Exchange, blackboard, and other software
  • ICANN
    • Name collision risks (.corp, .home)
    • MITM attack risks
    • Paypal letter – 13 domains
    • CA/Browser Letter
    • Add .mail
  • Barriers to Remedies
    • Established systems
    • Long-lived certificates
    • Training of server operators
    • Costs