CACert - A Community-driven Certification Authority - OpenSistemas
Upcoming SlideShare
Loading in...5
×
 

CACert - A Community-driven Certification Authority - OpenSistemas

on

  • 267 views

 

Statistics

Views

Total Views
267
Views on SlideShare
267
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CACert - A Community-driven Certification Authority - OpenSistemas CACert - A Community-driven Certification Authority - OpenSistemas Presentation Transcript

    • CACert A Community-driven Certification Authority Juanjo Amor jjamor@opensistemas.com OpenSistemas 29 Abril 2011 Juanjo Amor CACert
    • (cc) 2011 Juanjo Amor and Wikipedia Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Juanjo Amor CACert
    • Index Juanjo Amor CACert
    • About Opensistemas Opensistemas is an international company Juanjo Amor CACert
    • About Opensistemas Opensistemas is an international company highly specialized Juanjo Amor CACert
    • About Opensistemas Opensistemas is an international company highly specialized in offering global IT solutions Juanjo Amor CACert
    • About Opensistemas Opensistemas is an international company highly specialized in offering global IT solutionsbased on Open Sourceand Linuxplatforms. Juanjo Amor CACert
    • About Opensistemas Our Vision: Juanjo Amor CACert
    • About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Juanjo Amor CACert
    • About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Juanjo Amor CACert
    • About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Apply our knowledge of the opportunities offered by Open Source to deliver effective solutions and innovation to our customers while promoting the professional development of our employees and building value for shareholders. Juanjo Amor CACert
    • About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Apply our knowledge of the opportunities offered by Open Source to deliver effective solutions and innovation to our customers while promoting the professional development of our employees and building value for shareholders. Our Values: Juanjo Amor CACert
    • About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Apply our knowledge of the opportunities offered by Open Source to deliver effective solutions and innovation to our customers while promoting the professional development of our employees and building value for shareholders. Our Values: Deliver effective solutiosn to our customers. Corporate social responsibility. Commitment to Open Source. Ethics and Respect for individuals. Research and Innovation. Teamwork. Commitment to the development of a society connected by information and knowledge. Juanjo Amor CACert
    • About Opensistemas Our Markets Juanjo Amor CACert
    • About Opensistemas Our Partners Juanjo Amor CACert
    • About Opensistemas Opensistemas is present in nine locations over five countries: Spain (Madrid, Valencia, Barcelona, Sevilla, Zaragoza), Chile (Santiago), Colombia (Bogot´a), United Kingdom (London) and China (Shanghai). Juanjo Amor CACert
    • About Opensistemas Contact Information www.opensistemas.com info@opensistemas.com +34 902 107 396 Juanjo Amor CACert
    • Index Juanjo Amor CACert
    • PKI concepts PKI meaning... Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Juanjo Amor CACert
    • PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor CACert
    • PKI diagram of a public key infrastructure Juanjo Amor CACert
    • PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... Juanjo Amor CACert
    • PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Juanjo Amor CACert
    • PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA Juanjo Amor CACert
    • PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor CACert
    • PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Example: Try to get certificate information by using Thawte SSL Ca Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers so we should import CA certificates into it. Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers so we should import CA certificates into it. This is one of first certificates acknowledged for legally identifying people or enterprises in Spain. Juanjo Amor CACert
    • PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers so we should import CA certificates into it. This is one of first certificates acknowledged for legally identifying people or enterprises in Spain. Example: Import FNMT certificate and then get its information. Juanjo Amor CACert
    • PKI example 3: The DGP CA Spanish DGP (Police) CA Juanjo Amor CACert
    • PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters Juanjo Amor CACert
    • PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices Juanjo Amor CACert
    • PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) Juanjo Amor CACert
    • PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor CACert
    • PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Example: Import DGP certificate and then get its information. Juanjo Amor CACert
    • Web of Trust Web of trust Juanjo Amor CACert
    • Web of Trust Web of trust Concept created by PGP creator. Juanjo Amor CACert
    • Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. Juanjo Amor CACert
    • Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. Juanjo Amor CACert
    • Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor CACert
    • Index Juanjo Amor CACert
    • CACert PKI What is CACERT? Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Juanjo Amor CACert
    • CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor CACert
    • CACert inclusion status Can we use CACert server certificates with some browser? Juanjo Amor CACert
    • CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Juanjo Amor CACert
    • CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. Juanjo Amor CACert
    • CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Juanjo Amor CACert
    • CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor CACert
    • CACert web of trust When you create a new CACert account: Juanjo Amor CACert
    • CACert web of trust When you create a new CACert account: Only your email can be verified Juanjo Amor CACert
    • CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: Juanjo Amor CACert
    • CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, Juanjo Amor CACert
    • CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, Juanjo Amor CACert
    • CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor CACert
    • CACert web of trust Some rules: Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor CACert
    • CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified Juanjo Amor CACert
    • CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Secure website: identify a server to you Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration Juanjo Amor CACert
    • CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor CACert
    • Questions Questions? Juanjo Amor CACert
    • Exercises Final exercises 1 Creating your CACert account. 2 Creating your email certificate, with browser and then with openssl 3 Creating a web certificate, with openssl and apache 4 Want to be assured? Juanjo Amor CACert