CACert - A Community-driven Certification Authority - OpenSistemas

541 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
541
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CACert - A Community-driven Certification Authority - OpenSistemas

  1. 1. CACert A Community-driven Certification Authority Juanjo Amor jjamor@opensistemas.com OpenSistemas 29 Abril 2011 Juanjo Amor CACert
  2. 2. (cc) 2011 Juanjo Amor and Wikipedia Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Juanjo Amor CACert
  3. 3. Index Juanjo Amor CACert
  4. 4. About Opensistemas Opensistemas is an international company Juanjo Amor CACert
  5. 5. About Opensistemas Opensistemas is an international company highly specialized Juanjo Amor CACert
  6. 6. About Opensistemas Opensistemas is an international company highly specialized in offering global IT solutions Juanjo Amor CACert
  7. 7. About Opensistemas Opensistemas is an international company highly specialized in offering global IT solutionsbased on Open Sourceand Linuxplatforms. Juanjo Amor CACert
  8. 8. About Opensistemas Our Vision: Juanjo Amor CACert
  9. 9. About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Juanjo Amor CACert
  10. 10. About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Juanjo Amor CACert
  11. 11. About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Apply our knowledge of the opportunities offered by Open Source to deliver effective solutions and innovation to our customers while promoting the professional development of our employees and building value for shareholders. Juanjo Amor CACert
  12. 12. About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Apply our knowledge of the opportunities offered by Open Source to deliver effective solutions and innovation to our customers while promoting the professional development of our employees and building value for shareholders. Our Values: Juanjo Amor CACert
  13. 13. About Opensistemas Our Vision: To become the international leader in Open Source Technologies. Our Mission: Apply our knowledge of the opportunities offered by Open Source to deliver effective solutions and innovation to our customers while promoting the professional development of our employees and building value for shareholders. Our Values: Deliver effective solutiosn to our customers. Corporate social responsibility. Commitment to Open Source. Ethics and Respect for individuals. Research and Innovation. Teamwork. Commitment to the development of a society connected by information and knowledge. Juanjo Amor CACert
  14. 14. About Opensistemas Our Markets Juanjo Amor CACert
  15. 15. About Opensistemas Our Partners Juanjo Amor CACert
  16. 16. About Opensistemas Opensistemas is present in nine locations over five countries: Spain (Madrid, Valencia, Barcelona, Sevilla, Zaragoza), Chile (Santiago), Colombia (Bogot´a), United Kingdom (London) and China (Shanghai). Juanjo Amor CACert
  17. 17. About Opensistemas Contact Information www.opensistemas.com info@opensistemas.com +34 902 107 396 Juanjo Amor CACert
  18. 18. Index Juanjo Amor CACert
  19. 19. PKI concepts PKI meaning... Juanjo Amor CACert
  20. 20. PKI concepts PKI meaning... PKI = Public Key Infrastructure Juanjo Amor CACert
  21. 21. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates Juanjo Amor CACert
  22. 22. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... Juanjo Amor CACert
  23. 23. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority Juanjo Amor CACert
  24. 24. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority Juanjo Amor CACert
  25. 25. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Juanjo Amor CACert
  26. 26. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Juanjo Amor CACert
  27. 27. PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor CACert
  28. 28. PKI diagram of a public key infrastructure Juanjo Amor CACert
  29. 29. PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... Juanjo Amor CACert
  30. 30. PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Juanjo Amor CACert
  31. 31. PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA Juanjo Amor CACert
  32. 32. PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor CACert
  33. 33. PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Example: Try to get certificate information by using Thawte SSL Ca Juanjo Amor CACert
  34. 34. PKI example 2: The FNMT CA Spanish FNMT CA Juanjo Amor CACert
  35. 35. PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. Juanjo Amor CACert
  36. 36. PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... Juanjo Amor CACert
  37. 37. PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers Juanjo Amor CACert
  38. 38. PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers so we should import CA certificates into it. Juanjo Amor CACert
  39. 39. PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers so we should import CA certificates into it. This is one of first certificates acknowledged for legally identifying people or enterprises in Spain. Juanjo Amor CACert
  40. 40. PKI example 2: The FNMT CA Spanish FNMT CA CA: Joins CA and VA. RA: Delegated to other institutions such as AEAT, city councils... CA certificate is not directly recognized by standard browsers so we should import CA certificates into it. This is one of first certificates acknowledged for legally identifying people or enterprises in Spain. Example: Import FNMT certificate and then get its information. Juanjo Amor CACert
  41. 41. PKI example 3: The DGP CA Spanish DGP (Police) CA Juanjo Amor CACert
  42. 42. PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters Juanjo Amor CACert
  43. 43. PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices Juanjo Amor CACert
  44. 44. PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) Juanjo Amor CACert
  45. 45. PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor CACert
  46. 46. PKI example 3: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Example: Import DGP certificate and then get its information. Juanjo Amor CACert
  47. 47. Web of Trust Web of trust Juanjo Amor CACert
  48. 48. Web of Trust Web of trust Concept created by PGP creator. Juanjo Amor CACert
  49. 49. Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. Juanjo Amor CACert
  50. 50. Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. Juanjo Amor CACert
  51. 51. Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor CACert
  52. 52. Index Juanjo Amor CACert
  53. 53. CACert PKI What is CACERT? Juanjo Amor CACert
  54. 54. CACert PKI What is CACERT? A community-driven certificate authority. Juanjo Amor CACert
  55. 55. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Juanjo Amor CACert
  56. 56. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Juanjo Amor CACert
  57. 57. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. Juanjo Amor CACert
  58. 58. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Juanjo Amor CACert
  59. 59. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Juanjo Amor CACert
  60. 60. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Juanjo Amor CACert
  61. 61. CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor CACert
  62. 62. CACert inclusion status Can we use CACert server certificates with some browser? Juanjo Amor CACert
  63. 63. CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Juanjo Amor CACert
  64. 64. CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. Juanjo Amor CACert
  65. 65. CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Juanjo Amor CACert
  66. 66. CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor CACert
  67. 67. CACert web of trust When you create a new CACert account: Juanjo Amor CACert
  68. 68. CACert web of trust When you create a new CACert account: Only your email can be verified Juanjo Amor CACert
  69. 69. CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: Juanjo Amor CACert
  70. 70. CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, Juanjo Amor CACert
  71. 71. CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, Juanjo Amor CACert
  72. 72. CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor CACert
  73. 73. CACert web of trust Some rules: Juanjo Amor CACert
  74. 74. CACert web of trust Some rules: An assurer can issue you upto 35 points. Juanjo Amor CACert
  75. 75. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . Juanjo Amor CACert
  76. 76. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers Juanjo Amor CACert
  77. 77. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer Juanjo Amor CACert
  78. 78. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” Juanjo Amor CACert
  79. 79. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: Juanjo Amor CACert
  80. 80. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Juanjo Amor CACert
  81. 81. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody Juanjo Amor CACert
  82. 82. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others Juanjo Amor CACert
  83. 83. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . Juanjo Amor CACert
  84. 84. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points Juanjo Amor CACert
  85. 85. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor CACert
  86. 86. CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor CACert
  87. 87. CACert client certificates A client certificate is used to: Juanjo Amor CACert
  88. 88. CACert client certificates A client certificate is used to: Identify yourself to a web site Juanjo Amor CACert
  89. 89. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing Juanjo Amor CACert
  90. 90. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . Juanjo Amor CACert
  91. 91. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Juanjo Amor CACert
  92. 92. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) Juanjo Amor CACert
  93. 93. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration Juanjo Amor CACert
  94. 94. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Juanjo Amor CACert
  95. 95. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified Juanjo Amor CACert
  96. 96. CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing . . . When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor CACert
  97. 97. CACert server certificates A server certificate is used to: Juanjo Amor CACert
  98. 98. CACert server certificates A server certificate is used to: Secure website: identify a server to you Juanjo Amor CACert
  99. 99. CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: Juanjo Amor CACert
  100. 100. CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration Juanjo Amor CACert
  101. 101. CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get Juanjo Amor CACert
  102. 102. CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration Juanjo Amor CACert
  103. 103. CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor CACert
  104. 104. Questions Questions? Juanjo Amor CACert
  105. 105. Exercises Final exercises 1 Creating your CACert account. 2 Creating your email certificate, with browser and then with openssl 3 Creating a web certificate, with openssl and apache 4 Want to be assured? Juanjo Amor CACert

×