The document summarizes Raúl Guerra Jiménez's presentation on PKI interoperability at the FIST Conference in September 2005 in Madrid. It discusses the basics of public key infrastructure (PKI) including concepts like digital certificates, certification authorities, cross-certification, and certificate revocation. It also provides examples of PKI applications in areas like internet security, remote access, virtual private networks, and securing intranets and applications.
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:
http://www.mil-oss.org/
It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:
http://www.mil-oss.org/
It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.
Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®).
Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.
This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)TrustBearer
Originally found at http://www.sourcemediaconferences.com/CTST09/PDF09/D/Thursday/GOYETnew.pdf – I'm adding to slideshare to make it easier to view online.
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
What happens when you need to create an open API ecosystem with robust security requirements, in a short period of time, implemented by conservative entities and mandated across the entire EU? Enter the complex world of Open Banking. In this talk, Pam Dingle will unpack the thrills and chills of the standards profiles and security measures that form the OpenID Foundation’s UK Open Banking profile.
Learning Objectives:
1: Understand differences between OAuth and OpenID Connect client registration.
2: Learn Open Banking goals and relationship to technical best practices in API Security.
3: Learn which parts of OAuth and OpenID Connect were profiled for use in open banking.
(Source: RSA Conference USA 2018)
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.
Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®).
Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.
This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)TrustBearer
Originally found at http://www.sourcemediaconferences.com/CTST09/PDF09/D/Thursday/GOYETnew.pdf – I'm adding to slideshare to make it easier to view online.
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
What happens when you need to create an open API ecosystem with robust security requirements, in a short period of time, implemented by conservative entities and mandated across the entire EU? Enter the complex world of Open Banking. In this talk, Pam Dingle will unpack the thrills and chills of the standards profiles and security measures that form the OpenID Foundation’s UK Open Banking profile.
Learning Objectives:
1: Understand differences between OAuth and OpenID Connect client registration.
2: Learn Open Banking goals and relationship to technical best practices in API Security.
3: Learn which parts of OAuth and OpenID Connect were profiled for use in open banking.
(Source: RSA Conference USA 2018)
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfxlynettalampleyxc
Define PKI (Public Key Infrastructure) and list and discuss the types of protection that it offers.
Give an example of where PKI is utilized in daily activity,(industry).
Solution
Answer:-
PKI (Public Key Infrastructure) :
Public Key Infrastructure (PKI) is a popular encryption and authentication approach used by
both small businesses and large enterprises.
What Is Public Key Infrastructure (PKI) :
The PKI environment is made up of five components:
1) Certification Authority (CA) -- serves as the root of trust that authenticates the identity of
individuals, computers and other entities in the network.
2) Registration Authority (RA) : -- is certified by a root CA to issue certificates for uses
permitted by the CA. In a Microsoft PKI environment, the RA is normally called a subordinate
CA.
3) Certificate Database : -- saves certificate requests issued and revoked certificates from the RA
or CA.
4) Certificate Store :-- saves issued certificates and pending or rejected certificate requests from
the local computer.
5) Key Archival Server :-- saves encrypted private keys in a certificate database for disaster
recovery purposes in case the Certificate Database is lost.
6) PKI is a very effective method for implementing multi-factor authentication. Some
companies, such as Unisys, require that devices that are attached to the corporate network must
be able to use PKI for the encrypted and authenticated exchange of information.
7) In cryptography, a PKI is an arrangement that binds public keys with respective identities of
entities (like persons and organizations).
8) A public key infrastructure (PKI) is a system for the creation, storage, and distribution of
digital certificates which are used to verify that a particular public key belongs to a certain entity.
Types Protection:
1) Encryption and/or sender authentication of e-mail messages .
2) Encryption and/or authentication of documents .
3) Authentication of users to applications (e.g., smart card logon, client authentication with SSL).
There\'s experimental usage for digitally signed HTTP authentication in the Enigform and
mod_openpgp projects .
4) Bootstrapping secure communication protocols such as Internet key exchange (IKE) and SSL.
In both of these, initial set-up of a secure channel security association uses asymmetric key ,
public key methods, whereas actual communication uses faster symmetric key, secret key
methods.
5) Mobile signatures are electronic signatures that are created using a mobile device and rely on
signature or certification services in a location independent telecommunication environment..
Digital certificates and information securityDevam Shah
Digital certificates ensures secure transactions over internet. This presentation is about information security and secure online transactions through digital certificates.
Courtesy: www.ifour-consultancy.com
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...DevOps.com
Join PKI industry experts Jason Soroko (CTO of IoT) and Tim Callan (Senior Fellow) from Sectigo, to learn how TLS Certificates and Code Signing within CI/CD pipelines help you secure your DevOps environments. During this webinar, Tim and Jason will cover the following key topics, and answer all your questions:
Popular containerization and orchestration applications and how they handle PKI on their own (e.g. CA included, plug in your own outside CA, no PKI option)
How TLS Certificates and Code Signing fit into all this
Orchestration engine integration: container code signing made easy
Using Hard Disk Encryption and Novell SecureLoginNovell
Laptop theft is one of the most common crimes in industrial countries. Therefore, the demand for laptop security and the need to protect confidential data on hard disks is increasing. Several products on the market address this issue by offering hard disk encryption combined with login security. This session will show how these solutions can be integrated into a Novell environment.
A typical scenario might look like the following: The digital certificates used for encryption are generated in Novell eDirectory; the certificates are used with smartcards, which are also managed in eDirectory. The configuration of the hard disk encryption solution is deployed to clients with Novell ZENworks (no user interaction is necessary during installation and configuration). The hard disk encryption registration is combined with Novell SecureLogin, which results in a single sign-on.
This session will describe in detail what the configuration of hard disk encryption in such a scenario looks like, and will feature a live demonstration. The presenters are independent consultants with no interest in marketing a particular hard disk encryption solution.
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
In every organization, there is a growing need for a strong well-designed public key infrastructure solution and in many of these; Active Directory Certificate Services will be used. This session will guide you through a solution based on best practice, shed some light on common issues encountered and some shortcuts to assist in management with PowerShell.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
4. Security Requirements
Confidentiality.
Ensure confidentiality of data.
Integrity.
The original data has not been changed.
Authentication.
Proof of identity.
Non Repudiation.
Prevent denial of transaction. The
originator cannot deny it.
4
5. Paradigm Solution
CONFIDENTIALITY INTEGRITY AUTHENTICATION NON-REPUDIATION
HASH
ENCRYPTION DIGITAL SIGNATURE
PUBLIC KEY ENCRIPTION
DIGITAL CERTIFICATE
CERTIFICATION AUTHORITY
PUBLIC KEY INFRASTRUCTURE (PKI)
5
8. Cross-Certification
Cross-Certification
Certificaction Authority Certification Authority
third-party trust
Alicia Juan Elena Pedro
AC “A” AC “B”
8
9. Subordinate CA
CA1 (“Root”)
CA2 CA3
CA4 CA5 CA6 CA7
U1 U2 U3 U4 U5 U6 U7 U8 U9
Classical trust-model has no end root
10. The certificate
Version: 3
Serial Number: 8391037
Signature: RSA
Issuer: o=SIA, c=ES
Validity: 1/5/97 1:02 - 7/5/98 1:02
Subject: cn=Raúl Guerra, o=SIA, c=ES
Subject Public Key Info:
----------------------------------------------------
Extensions SubjectAltName: rguerra@sia.es
CRL DP:cn=CRL2, o=SIA, c=ES
The CA signs the certificate
10
11. Certificate Revocation List
Unique name of CRL
DN: cn=CRL2, o=SIA, c=ES
Period of validity
Start: 1/5/97 1:02
End: 1/6/97 1:02
Revoked:
Serial number 191231 4/24/96 10:20 Cessation of
of Operation
Revoked 123832 4/25/ 16:20 Key Compromise
certificates 923756 4/25 16:30 Affiliation Change
and reason CA DN: o=SIA, c=ES
CA’s digital signature on the CRL
11
12. Keys in the client
Key generation
Issue certificates
o
Certificate validation
Key usage
Expired
Key update
12
13. PKI
Web
E-mail
Applicati
Applicati ERP’s,
ERP’s, Legacy
Legacy Application
Application
on
on SSO, ...
SSO, ... app.
app. without PKI-
without PKI-
PKI-enabled
PKI-enabled GSS-API,
GSS-API, Enabled module
Enabled module
Application CAPI, ... Toolkits
Toolkits PKI-Enable
PKI-Enable
Application CAPI, ...
PKI
PKI module
module
PKI client
PKCS#11 BAPI
ID in
disk
(MemoryCard (Biometric LDAP PKIX-CMP
s, API)
SmartCards,
SmartCards,
.ep PC/SC) Biometric
Biometric
f devices
devices
Directorio PKI
13
19. Security in the Intranet
Application Specific
Network Security Security
•McAfee Network Security Suite •RACF, ACF2, TopSecret
•NetLock •Application level passwords
•Cygnus (KerbNet)
KerbNet) •Proprietary data security (Notes)
•Other (via RSA toolkits)
toolkits)
Network Security
•Encrypt the traffic
•Secure access to resources
Application Specific Security
•Databases (Oracle…)
Oracle…
•Heritage applications (Mainframe...)
Mainframe...)
•GroupWare (Notes…)
(Notes…
19
20. Desktop security
File Security
•Norton Your Eyes Only
•PGP for Personal Privacy
•Querisoft SecureFILE
•McAfee VirusScan Security Suite
•RSA SecurPC
•AT&T SecretAgent
•Entrust ICE
•Email •Entrust Entelligence
•Files
•Client/Server
Client/Server
apps
•E-forms
•Browsers
Y más...
má
21. Enterprise Resource Planning (ERPs)
Business-to-Business
ERP
•SAP/R3
•PeopleSoft Client/Server
•Oracle services
•...
Client to server security
Web services
21
22. PKI: Homogeneous solution
Specific systems Web Server Security
•E-Commerce
especifica •Internet Banking
•Databases (Oracle, ...)
Oracle, •Secure Web Sites s
•Mainframe
•GroupWare
Network Security
•Traffic cyphering
•Secure Access
Firewalls & Routers
Remote
PKI
ERP Authentication
•SAP/R3 VPN’s
VPN’
•PeopleSoft
•Oracle
•...
Internet Users Desktop Security
•Secure Web •Email
•Secure Mail •Files
•E-Commerce (SET) •Client/Server apps
Client/Server
•E-forms
•Browsers
And more...
23. PKIs Success (I)
Integration with the software
applications.
Practical solutions--> Bye, bye SET.
Users recognition.
Trust. Do you trust CA?
What or who used my private key? Is
my PC safe? Security issues in the
OS or the browser (crypto Software)
Is your private key in a smart card?
23
24. PKIs Success (II)
Are the certification practices
secure(CPS)?
The CA must guarantee that the signed
data (certificate) is correct.
There is a risk if you trust the user. Do you
verify the certificate from the web server in
a SSL connection?
To learn more: “Ten risks of PKIs: What
you´re not being told about Public key
Infrastructure” by Bruce Schneier and Carl
Ellison
24
25. e-DNI
Smart Card
Polycarbonate card with high security
from FNMT
Certificates
Identity (authentication) and signature
(non-repudiation) certificates
No encryption certificate
PKI Providers: Entrust, Safelayer
Hierarchy of CAs (root and
Subordinate CAs)
25
26. e-DNI. Questions (I)
Are other certificates necessary?
Certificate status validation methods.
Cross-Certification with commercial
CAs?
26
27. e-DNI. Questions (II)
Other certificates? YES, because
No encryption certificate. So, to support
business protection, where there is encrypted
data, a decryption is necessary(private) key
backed up---> Encryption certificate
Physical identity. What about legal entities?
Use of certificate with other information. For
example, medical data (medical smartacard)
Use in private sector: home-banking, corporate
Enterprise smartcard, etc
27
28. e-DNI. Questions (III)
Certificate status validation
methods
The system should ensure that the
verification certificate is valid (and not
on CRL)
If an entity would like technical
interoperability with e-DNI system, it is
necessary to know the certificate status.
28
29. e-DNI. Questions (IV)
Certificate status validation
methods
Different validation entities
Public: relations of citizens with the
Administration ---> free??
Private sector: Bank, insurance, etc. Money,
money...$$??
Cost of the validation: free, by price
(and how much?)
29
30. e-DNI. Questions (V)
Cross-Certification with other
CAs? NO, because
The same as the traditional national
DNI.(ID Card)
Issued by DGP (Ministry of Interior). It is
a legal document in Spain
If you just accept it will happen. Do you
give state and private organization
sectors the same level of trust?
30
31. Creative Commons
Attribution-NoDerivs 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
Attribution. You must give the original author
credit.
No Derivative Works. You may not alter, transform, or
build upon this work.
For any reuse or distribution, you must make the license terms of this work
clear to others.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-NoDerivs
License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative
Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
31
32. @
FIST Conference
Raúl Guerra
Madrid, September 2005
www.fistconference.org