+ All Categories
Home > Documents > [email protected] +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less)...

[email protected] +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less)...

Date post: 28-Mar-2015
Category:
Upload: destiney-pardon
View: 217 times
Download: 0 times
Share this document with a friend
Popular Tags:
12
[email protected] www.digicert.com +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley
Transcript
Page 1: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

[email protected] www.digicert.com +1 (801) 877-2100

Everything in PKIbut the Kitchen Sink

(in 30 minutes or less)Jeremy Rowley

Page 2: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

• The new gTLDs will break the internet!• Certificate authorities (CAs) are completely unregulated.• CAs haven’t changed since the 90s.• Browsers don’t even check revocation anymore.• All certificates are the same so the CA doesn’t matter.• SSL is no longer secure!

Common Incorrect Assumptions

Page 3: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

•CAs generate “roots” and issue certificates• Public v. private CAs• Audit Criteria• Browser Requirements• Operations defined by CPS• About 65 public CA entities

•RAs verify identities• Multi-factor authentication• Audit Criteria• Operations defined by standards

•Pending Regulations/Standards• Qualified SSL Certificates• ISO update• NIST CP

CAs and RAs

Page 4: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Low standard:SSAC 085: The SSAC recommends that the ICANN community should seek to identify validation techniques that can be automated and to develop policies that incent the development and deployment of those techniques. The use of automated techniques may necessitate an initial investment but the long-term improvement in the quality and accuracy of registration data will be substantial.

Established standards:• CA/Browser Forum

• EV/OV/DV• Used by Browsers/Public CAs

• NIST• LOA1-LOA4• Used by government and healthcare

• Kantara• LOA1-LOA4• International Standards

• FBCA• Rudimentary, Basic, Medium, Medium Hardware, High• Used in government, aerospace, and healthcare

Validation Standards

Page 5: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Domain

Verificatio

n

• WHOIS• Domain challenge• Demonstration of control

Organizati

on Verificatio

n

• Organization name and address• Certificate authorization• Verified contact

Extended Validation

• Jurisdiction of Incorporation• Telephone and Place of Business• Signing Authority

Other

Attributes

• Membership in a community• Credentials

Validation Process

Page 6: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

•Major industry improvements since 2006• Higher security standards• Better identity vetting process

•Minimum security requirements for trust• 2048• Move to SHA2• No compromised cipher suites/hash functions• Security standards

•Non-trusted certificate causes browser warnings• Chained to trusted root• Valid and unexpired

•Issues• Cookies • Publishing revocation information• Outdated domain information

Transactional Security

Page 7: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Revocation Information

• All major browsers perform some level of certificate revocation checking• OCSP• CRL• CRL Sets• OCSP Stapling

• All SSL public CAs provide revocation information via OCSP• Cache times vary by browser

• Longest is 7 days• OCSP stapling provides OCSP response with the certificate

• Eliminates communication with CA• Current server distributions support stapling

Page 8: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Internal Names

• Internal Server Name• .example, .corp, .mail• ~20,000 certificates• Common/recommended practice until 2011• Used by Exchange, blackboard, and other software

• ICANN• Name collision risks (.corp, .home)• MITM attack risks• Paypal letter – 13 domains • CA/Browser Letter• Add .mail

• Barriers to Remedies• Established systems• Long-lived certificates• Training of server operators• Costs

Page 9: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Mitigating Risks Related to Internal Names

CA/Browser Forum• Previous deprecation – November 2015• Accelerated deprecation – 120 days of contract signing• 120 days selected to account for .corp (adopted July 2013)• Advanced notice from ICANN

CAs• Internal server name tools• Outreach to customers

ICANN Collision Mitigation• Not release .corp and .home• Evaluate 20%• Release 80%

Opinion• .mail should be included• 20% is too high (many names are not that prevalent)

Page 10: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Certificate Transparency (CT)• Public logs of all certificates• Signed proof in certificate• Detect mis-issuance• Being deployed in Chrome

Certificate Authority Authorization (CAA)• DNS record specifying authorization• Prevents mis-issuance• Requires no browser changes• Already deployed by Mozilla and Google

Key Pinning• Associates domain with specific certificate• Can pin root, intermediate, or end-entity• Potential bricking problem• Deployed in Chrome

DNS-Based Authentication of Named Entities (DANE)• Relies on DNSSEC• Specifies public key in DNS• Several modes, including public certificates• Not deployed in major browsers

Developments

Industry Improvements

Page 11: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

Next Steps

Improve research and multi-stakeholder collaboration• Many improvements need additional consideration

Implement improvements where needed and as completed• Many proposals will take time to deploy and need further refinement

Discuss the 20%• Many of these can likely be approved sooner than later, with a few that simply should not be granted

Make continuous improvements• Monitor emerging security threats and continue looking for ways to improve security

Improve WHOIS • Significant benefits in security with notice to CAs of registrant changes

Work with CAs• CAs are interested in improving the landscape, and DigiCert is taking a lead role, especially with CT• Most CAs are excited about new developments

Look forward to the future• Many smart people are working on these issues, and the future looks good

Page 12: Sales@digicert.com  +1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

• EV Guidelines, Baseline Requirements, Code Signing, Security RequirementsCA/Browser Forum

• OCSP stapling adoption, research in PKI, disseminating accurate informationCASC

• Updated audit criteria, more stringent standardsETSI/Webtrust

• New standards in identity vetting and operationsISO

• Draft certificate policy, updated identity vetting requirementsNIST• New technology, Pinning, CAA, CT, DANE, evaluating

implementationsIETF

• New and improved WHOIS informationICANN

• Developing and promoting SSL best practicesOTA

Industry Movers


Recommended