SlideShare a Scribd company logo

Certificates, Revocation and the new gTLD's Oh My!

CASCouncil
CASCouncil

CASC member Dan Timpson's discussion of certificates, revocation and the new gTLDs at ICANN in July 2013

Technology
1 of 13
Download to read offline
sales@digicert.com www.digicert.com +1 (801) 877-2100 Certificates, Revocation and the new gTLD's Oh My! Dan Timpson
Focus ● What is a Certificate Authority? ● Current situation with gTLD's and internal names ● Action taken so far ● Recommendations
• CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs • CA undergoes rigorous third party audit of operations and policy • CA private keys are held under extreme protections and used to sign web site certificates and status information • CA applies for corresponding root certificates to be included into trusted root stores • CA policy and operations must comply with Browser root store rules in order to be trusted by default - distributed by software updates What is a Certificate Authority?
• When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. – This minimal validation is called Domain Validation or DV – While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. • Stronger verification of site and domain ownership and controls for the organizations to which certs are issued allows issuance of higher assurance SSL certificates – This additional validation is called Organization Validation or OV – Additional checks include that they are registered and in good standing with their respective governments etc. What is a Certificate Authority?
• The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates – This highest tier of verification is called Extended Validation or EV – EV issued certs are recognized in browser GUI e.g. green bar What is a Certificate Authority?
• CA provides certs (DV or OV or EV) to customers chaining to trusted roots embedded in Operating Systems and Browsers • CA Customers (Site Operators) install certs on their servers for secure web pages • Users (clients of CA Customers) go to secure web pages HTTPS://, User Agent checks for CA’s root inclusion in browser trusted root store • If CA’s root is in browser’s trusted store: encrypted session, favorable padlock UI (including EV green bar) What is a Certificate Authority
• If CA root not in client trusted root store for browser – warning displayed • CAs and browsers have the ability to revoke roots, sub-CAs, and certificates for any problems • CAs publish revocation lists (CRLs) or provide updated certificate status information online (OCSP) • If certificate revoked or expired – warning displayed • CAs must complete annual audits and follow CA/B Forum rules to remain in browser trusted root stores • Stronger rules and higher CA standards are set for green Extended Validations or “EV” display What is a Certificate Authority
Revocation info ● All browsers perform some level of certificate revocation checking ● All CA's must provide revocation information via OCSP ● OCSP cache times vary by browser with the longest cache time of 7 days ● OCSP stapling provides OCSP response with the certificate – Most current server distributions support stapling
Background - Internal names ● Prevalent use of internal name certs ● Estimate is ~11,000 certificates issued against internal names ● Common/recommended practice until 2011
Why is this a problem? ● Collisions – Many servers are configured this way – Different experience externally ● Security – Potential for man-in-the-middle attacks – 5 year attack opportunity on organizations with that domain
Action taken so far ● CA/B Forum's original baseline requirements mandated that all internal certs expire or are revoked by 2015 – Based on server operator feedback and businesses ● Roadblocks include policy, cost and training ● CA/B Forum approached by ICANN – CA/B Forum passed a ballot – Feb 20, 2013 – Accelerates the deprecation from 5 years down to 120 days after the relevant gTLD contract is published. – 120 days is required for large volumes (Top 10%) ● Mozilla.org has adopted the revised requirements – July 31st All CA's must comply to remain in the trust store
Action taken so far ● CASC – Was formed by CA's to improve education, marketing and research – Information on OCSP stapling – Reconfiguring servers with public FQDN's ● Avoiding Collisions – Digicert and other CA's are actively working to migrate customers off internal names ● Communicating with customers ● Only solves training doesn't reduce cost ● Digicert Internal Name Tool
Recommendations for ICANN ● Don't approve the names that are most commonly used in internal certs until 2015 – Digicert Letter (.corp gTLD) – PayPal letter ● Approve the application but delay the delegation until 2015 ● Remaining 90% can move forward with minimal impact ● Security issues with certs is effectively resolved

Recommended

eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder
 
IWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down UnderIWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down Under
IWMW
 
Solo Small Business Gateway
Solo Small Business GatewaySolo Small Business Gateway
Solo Small Business GatewaySOLO Gateway
 
Social Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSocial Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage Brokers
Sandra Pigram
 
Final project
Final projectFinal project
Final projectallison garfield
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglas
Sandra Pigram
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
CASCouncil
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 

Recommended

eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder
 
IWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down UnderIWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down Under
IWMW
 
Solo Small Business Gateway
Solo Small Business GatewaySolo Small Business Gateway
Solo Small Business GatewaySOLO Gateway
 
Social Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSocial Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage Brokers
Sandra Pigram
 
Final project
Final projectFinal project
Final projectallison garfield
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglas
Sandra Pigram
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
CASCouncil
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Tech t18
Tech t18Tech t18
Tech t18SelectedPresentations
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the Solutions
Blytheco
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
DigiCert, Inc.
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
Jim Kaplan CIA CFE
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltdclarkems
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
ReliqusConsulting
 
2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentalsAruba, a Hewlett Packard Enterprise company
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle Developers
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com Platform
Salesforce Developers
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All CertificatesPedro Santos
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
Sebastian Wagner
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015d
Amy Blanchard
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
CASCouncil
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
CASCouncil
 

More Related Content

Similar to Certificates, Revocation and the new gTLD's Oh My!

Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the Solutions
Blytheco
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
DigiCert, Inc.
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
Jim Kaplan CIA CFE
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltdclarkems
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
ReliqusConsulting
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle Developers
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com Platform
Salesforce Developers
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All CertificatesPedro Santos
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
Sebastian Wagner
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015d
Amy Blanchard
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
CASCouncil
 

Similar to Certificates, Revocation and the new gTLD's Oh My! (20)

Tech t18
Tech t18Tech t18
Tech t18
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the Solutions
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
 
2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com Platform
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All Certificates
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015d
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 

More from CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
CASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
CASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
CASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
CASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
CASCouncil
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
CASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
CASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
CASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
CASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
CASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
CASCouncil
 

More from CASCouncil (18)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 

Certificates, Revocation and the new gTLD's Oh My!

  • 1. sales@digicert.com www.digicert.com +1 (801) 877-2100 Certificates, Revocation and the new gTLD's Oh My! Dan Timpson
  • 2. Focus ● What is a Certificate Authority? ● Current situation with gTLD's and internal names ● Action taken so far ● Recommendations
  • 3. • CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs • CA undergoes rigorous third party audit of operations and policy • CA private keys are held under extreme protections and used to sign web site certificates and status information • CA applies for corresponding root certificates to be included into trusted root stores • CA policy and operations must comply with Browser root store rules in order to be trusted by default - distributed by software updates What is a Certificate Authority?
  • 4. • When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. – This minimal validation is called Domain Validation or DV – While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. • Stronger verification of site and domain ownership and controls for the organizations to which certs are issued allows issuance of higher assurance SSL certificates – This additional validation is called Organization Validation or OV – Additional checks include that they are registered and in good standing with their respective governments etc. What is a Certificate Authority?
  • 5. • The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates – This highest tier of verification is called Extended Validation or EV – EV issued certs are recognized in browser GUI e.g. green bar What is a Certificate Authority?
  • 6. • CA provides certs (DV or OV or EV) to customers chaining to trusted roots embedded in Operating Systems and Browsers • CA Customers (Site Operators) install certs on their servers for secure web pages • Users (clients of CA Customers) go to secure web pages HTTPS://, User Agent checks for CA’s root inclusion in browser trusted root store • If CA’s root is in browser’s trusted store: encrypted session, favorable padlock UI (including EV green bar) What is a Certificate Authority
  • 7. • If CA root not in client trusted root store for browser – warning displayed • CAs and browsers have the ability to revoke roots, sub-CAs, and certificates for any problems • CAs publish revocation lists (CRLs) or provide updated certificate status information online (OCSP) • If certificate revoked or expired – warning displayed • CAs must complete annual audits and follow CA/B Forum rules to remain in browser trusted root stores • Stronger rules and higher CA standards are set for green Extended Validations or “EV” display What is a Certificate Authority
  • 8. Revocation info ● All browsers perform some level of certificate revocation checking ● All CA's must provide revocation information via OCSP ● OCSP cache times vary by browser with the longest cache time of 7 days ● OCSP stapling provides OCSP response with the certificate – Most current server distributions support stapling
  • 9. Background - Internal names ● Prevalent use of internal name certs ● Estimate is ~11,000 certificates issued against internal names ● Common/recommended practice until 2011
  • 10. Why is this a problem? ● Collisions – Many servers are configured this way – Different experience externally ● Security – Potential for man-in-the-middle attacks – 5 year attack opportunity on organizations with that domain
  • 11. Action taken so far ● CA/B Forum's original baseline requirements mandated that all internal certs expire or are revoked by 2015 – Based on server operator feedback and businesses ● Roadblocks include policy, cost and training ● CA/B Forum approached by ICANN – CA/B Forum passed a ballot – Feb 20, 2013 – Accelerates the deprecation from 5 years down to 120 days after the relevant gTLD contract is published. – 120 days is required for large volumes (Top 10%) ● Mozilla.org has adopted the revised requirements – July 31st All CA's must comply to remain in the trust store
  • 12. Action taken so far ● CASC – Was formed by CA's to improve education, marketing and research – Information on OCSP stapling – Reconfiguring servers with public FQDN's ● Avoiding Collisions – Digicert and other CA's are actively working to migrate customers off internal names ● Communicating with customers ● Only solves training doesn't reduce cost ● Digicert Internal Name Tool
  • 13. Recommendations for ICANN ● Don't approve the names that are most commonly used in internal certs until 2015 – Digicert Letter (.corp gTLD) – PayPal letter ● Approve the application but delay the delegation until 2015 ● Remaining 90% can move forward with minimal impact ● Security issues with certs is effectively resolved