120 likes | 317 Views
Everything in PKI but the Kitchen Sink (in 30 minutes or less). Jeremy Rowley. Common Incorrect Assumptions. The new gTLDs will break the internet! Certificate authorities (CAs) are completely unregulated. CAs haven’t changed since the 90s. Browsers don’t even check revocation anymore.
E N D
Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley
Common Incorrect Assumptions • The new gTLDs will break the internet! • Certificate authorities (CAs) are completely unregulated. • CAs haven’t changed since the 90s. • Browsers don’t even check revocation anymore. • All certificates are the same so the CA doesn’t matter. • SSL is no longer secure!
CAs and RAs • CAs generate “roots” and issue certificates • Public v. private CAs • Audit Criteria • Browser Requirements • Operations defined by CPS • About 65 public CA entities • RAs verify identities • Multi-factor authentication • Audit Criteria • Operations defined by standards • Pending Regulations/Standards • Qualified SSL Certificates • ISO update • NIST CP
Validation Standards Low standard: SSAC 085: The SSAC recommends that the ICANN community should seek to identify validation techniques that can be automated and to develop policies that incent the development and deployment of those techniques. The use of automated techniques may necessitate an initial investment but the long-term improvement in the quality and accuracy of registration data will be substantial. Established standards: CA/Browser Forum EV/OV/DV Used by Browsers/Public CAs NIST LOA1-LOA4 Used by government and healthcare Kantara LOA1-LOA4 International Standards FBCA Rudimentary, Basic, Medium, Medium Hardware, High Used in government, aerospace, and healthcare
Transactional Security • Major industry improvements since 2006 • Higher security standards • Better identity vetting process • Minimum security requirements for trust • 2048 • Move to SHA2 • No compromised cipher suites/hash functions • Security standards • Non-trusted certificate causes browser warnings • Chained to trusted root • Valid and unexpired • Issues • Cookies • Publishing revocation information • Outdated domain information
Revocation Information • All major browsers perform some level of certificate revocation checking • OCSP • CRL • CRL Sets • OCSP Stapling • All SSL public CAs provide revocation information via OCSP • Cache times vary by browser • Longest is 7 days • OCSP stapling provides OCSP response with the certificate • Eliminates communication with CA • Current server distributions support stapling
Internal Names • Internal Server Name • .example, .corp, .mail • ~20,000 certificates • Common/recommended practice until 2011 • Used by Exchange, blackboard, and other software • ICANN • Name collision risks (.corp, .home) • MITM attack risks • Paypal letter – 13 domains • CA/Browser Letter • Add .mail • Barriers to Remedies • Established systems • Long-lived certificates • Training of server operators • Costs