Certificates, Revocation and the new gtld's Oh My!

Similar documents
Bugzilla ID: Bugzilla Summary:

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

The Impact of Extended Validation (EV) Certificates on Customer Confidence

CA-DAY Michael Kranawetter, Chief Security Advisor (Tom Albertson, Security Program Manager) Microsoft

Websense Content Gateway HTTPS Configuration

SSL: Paved With Good Intentions. Richard Moore

Extended SSL Certificates

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Microsoft Trusted Root Certificate: Program Requirements

SSL BEST PRACTICES OVERVIEW

Alternatives and Enhancements to CAs for a Secure Web

Industry Leading Encryption Balanced Offerings from domain validated to secure EV certificates Mobile Device Capability Full Service and Support

More on SHA-1 deprecation:

IPv4 Shortage Multiple SSL Certificates on a single IP address

Internet Trust Next Generation Part 1: Requirements

CERTIFICATION PRACTICE STATEMENT UPDATE

How to check if I care for the safety of my Clients?

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

Basics of SSL Certification

SSL Certificates: A Simple Solution to Website Security

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

SSAC Advisory on Internal Name Certificates

Internal Server Names and IP Address Requirements for SSL:

SSL. Ensure trust with our premium service

2015 Consumer Trust Survey

Extended Validation SSL Certificates

Comodo 2048 bit SSL Certificates. Security for your online business now and long into the future

GeoTrust Extended Validation SSL and Customer Confidence

Web Presence Security

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Managing CA-Signed Certificates

Protecting Your Name on the Internet The Business Benefits of Extended Validation SSL Certificates

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

Chapter 3 Copyright Statement

Certificate technology on Pulse Secure Access

Certificate technology on Junos Pulse Secure Access

NIST ITL July 2012 CA Compromise

MD5 Considered Harmful Today

Analysis of the Global SSL Certificate Market. The Growing Need for Value-added Solutions

Breaking the Security Myths of Extended Validation SSL Certificates

SSL. Ensure trust with our premium service

Introduction to the DANE Protocol

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

Criminal charges are not pursued: Hacking PKI

Gain a New Level of Trust with Extended Validation SSL Certificates

Complete Website Security

Certificate Management

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

WEBTRUST FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.4 [Amended 1 ] CA/BROWSER FORUM

Public Key Infrastructures

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation SSL Version 1.4.

Wildcard and SAN: Understanding Multi-Use SSL Certificates

Adobe Marketing Cloud First-Party Cookies

BEGINNERS GUIDE TO SSL CERTIFICATES: Making the BEST choice when considering your online security options

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Switching Managed SSL Service Providers

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Support Advisory: ArubaOS Default Certificate Expiration

A Proper Foundation: Extended Validation SSL

SSL Report: ebfl.srpskabanka.rs ( )

Next Steps In Accelerating DNSSEC Deployment

How Extended Validation SSL Brings Confidence to Online Sales and Transactions

Certificates and network security

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

A Proper Foundation: Extended Validation SSL

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Realize Greater Profits As An Authorized Reseller Of Network Solutions nsprotect Secure SSL Certificates

ADDITIONAL Information Security Review, 3b/ November 2011 On vulnerabilities in the certificate system

SSL/TLS: The Ugly Truth

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

Public Key Infrastructure (PKI)

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

TELSTRA RSS CA Subscriber Agreement (SA)

Using a custom certificate for SSL inspection

Certificate Policy and Certification Practice Statement

Breaking the Myths of Extended Validation SSL Certificates

Internet Security Research Group (ISRG)

Do Web Browsers Obey Best Practices When Validating Digital Certificates?

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

Public Key Infrastructure

Wildcard and SAN: Understanding multi-use SSL Certificates

Global SSL Certification Market

Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Creating Trust Online TM. Identity & Trust Assurance in a changing standards environment. *(Extended Validation)

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

WHITE PAPER. Maximizing Site Visitor Trust Using Extended Validation SSL

Deploying DNSSEC: From End-Customer To Content

SSL implementieren aber sicher!

Guide to Name Collision Identification and Mitigation for IT Professionals. 1 August 2014 Version 1.1

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 1.5

Frequently Asked Questions. Frequently Asked Questions: Prioritizing Trust: Certificate Authority Security Best Practices

SSL Certificates 101

ARPKI: Attack Resilient Public-Key Infrastructure

Choosing a Cloud Hosting Provider with Confidence

EV Multi-Domain Certificate Enrollment Guide

New Tricks For Defeating SSL In Practice. Moxie Marlinspike

Transcription:

Certificates, Revocation and the new gtld's Oh My! Dan Timpson sales@digicert.com www.digicert.com +1 (801) 877-2100

Focus What is a Certificate Authority? Current situation with gtld's and internal names Action taken so far Recommendations

What is a Certificate Authority? CA generates roots in secure environment ceremony, video recorded, audited, keys on HSMs CA undergoes rigorous third party audit of operations and policy CA private keys are held under extreme protections and used to sign web site certificates and status information CA applies for corresponding root certificates to be included into trusted root stores CA policy and operations must comply with Browser root store rules in order to be trusted by default - distributed by software updates

What is a Certificate Authority? When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. This minimal validation is called Domain Validation or DV While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. Stronger verification of site and domain ownership and controls for the organizations to which certs are issued allows issuance of higher assurance SSL certificates This additional validation is called Organization Validation or OV Additional checks include that they are registered and in good standing with their respective governments etc.

What is a Certificate Authority? The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates This highest tier of verification is called Extended Validation or EV EV issued certs are recognized in browser GUI e.g. green bar

What is a Certificate Authority CA provides certs (DV or OV or EV) to customers chaining to trusted roots embedded in Operating Systems and Browsers CA Customers (Site Operators) install certs on their servers for secure web pages Users (clients of CA Customers) go to secure web pages HTTPS://, User Agent checks for CA s root inclusion in browser trusted root store If CA s root is in browser s trusted store: encrypted session, favorable padlock UI (including EV green bar)

What is a Certificate Authority If CA root not in client trusted root store for browser warning displayed CAs and browsers have the ability to revoke roots, sub-cas, and certificates for any problems CAs publish revocation lists (CRLs) or provide updated certificate status information online (OCSP) If certificate revoked or expired warning displayed CAs must complete annual audits and follow CA/B Forum rules to remain in browser trusted root stores Stronger rules and higher CA standards are set for green Extended Validations or EV display

Revocation info All browsers perform some level of certificate revocation checking All CA's must provide revocation information via OCSP OCSP cache times vary by browser with the longest cache time of 7 days OCSP stapling provides OCSP response with the certificate Most current server distributions support stapling

Background - Internal names Prevalent use of internal name certs Estimate is ~11,000 certificates issued against internal names Common/recommended practice until 2011

Why is this a problem? Collisions Many servers are configured this way Different experience externally Security Potential for man-in-the-middle attacks 5 year attack opportunity on organizations with that domain

Action taken so far CA/B Forum's original baseline requirements mandated that all internal certs expire or are revoked by 2015 Based on server operator feedback and businesses Roadblocks include policy, cost and training CA/B Forum approached by ICANN CA/B Forum passed a ballot Feb 20, 2013 Accelerates the deprecation from 5 years down to 120 days after the relevant gtld contract is published. 120 days is required for large volumes (Top 10%) Mozilla.org has adopted the revised requirements July 31 st All CA's must comply to remain in the trust store

Action taken so far CASC Was formed by CA's to improve education, marketing and research Information on OCSP stapling Reconfiguring servers with public FQDN's Avoiding Collisions Digicert and other CA's are actively working to migrate customers off internal names Communicating with customers Only solves training doesn't reduce cost Digicert Internal Name Tool

Recommendations for ICANN Don't approve the names that are most commonly used in internal certs until 2015 Digicert Letter (.corp gtld) PayPal letter Approve the application but delay the delegation until 2015 Remaining 90% can move forward with minimal impact Security issues with certs is effectively resolved

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information