1 / 12

Everything in PKI but the Kitchen Sink (in 30 minutes or less)

Everything in PKI but the Kitchen Sink (in 30 minutes or less). Jeremy Rowley. Common Incorrect Assumptions. The new gTLDs will break the internet! Certificate authorities (CAs) are completely unregulated. CAs haven’t changed since the 90s. Browsers don’t even check revocation anymore.

alton
Download Presentation

Everything in PKI but the Kitchen Sink (in 30 minutes or less)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley

  2. Common Incorrect Assumptions • The new gTLDs will break the internet! • Certificate authorities (CAs) are completely unregulated. • CAs haven’t changed since the 90s. • Browsers don’t even check revocation anymore. • All certificates are the same so the CA doesn’t matter. • SSL is no longer secure!

  3. CAs and RAs • CAs generate “roots” and issue certificates • Public v. private CAs • Audit Criteria • Browser Requirements • Operations defined by CPS • About 65 public CA entities • RAs verify identities • Multi-factor authentication • Audit Criteria • Operations defined by standards • Pending Regulations/Standards • Qualified SSL Certificates • ISO update • NIST CP

  4. Validation Standards Low standard: SSAC 085: The SSAC recommends that the ICANN community should seek to identify validation techniques that can be automated and to develop policies that incent the development and deployment of those techniques. The use of automated techniques may necessitate an initial investment but the long-term improvement in the quality and accuracy of registration data will be substantial. Established standards: CA/Browser Forum EV/OV/DV Used by Browsers/Public CAs NIST LOA1-LOA4 Used by government and healthcare Kantara LOA1-LOA4 International Standards FBCA Rudimentary, Basic, Medium, Medium Hardware, High Used in government, aerospace, and healthcare

  5. Validation Process

  6. Transactional Security • Major industry improvements since 2006 • Higher security standards • Better identity vetting process • Minimum security requirements for trust • 2048 • Move to SHA2 • No compromised cipher suites/hash functions • Security standards • Non-trusted certificate causes browser warnings • Chained to trusted root • Valid and unexpired • Issues • Cookies • Publishing revocation information • Outdated domain information

  7. Revocation Information • All major browsers perform some level of certificate revocation checking • OCSP • CRL • CRL Sets • OCSP Stapling • All SSL public CAs provide revocation information via OCSP • Cache times vary by browser • Longest is 7 days • OCSP stapling provides OCSP response with the certificate • Eliminates communication with CA • Current server distributions support stapling

  8. Internal Names • Internal Server Name • .example, .corp, .mail • ~20,000 certificates • Common/recommended practice until 2011 • Used by Exchange, blackboard, and other software • ICANN • Name collision risks (.corp, .home) • MITM attack risks • Paypal letter – 13 domains • CA/Browser Letter • Add .mail • Barriers to Remedies • Established systems • Long-lived certificates • Training of server operators • Costs

  9. Mitigating Risks Related to Internal Names

  10. Industry Improvements

  11. Next Steps

  12. Industry Movers

More Related