SlideShare ist ein Scribd-Unternehmen logo

Alternatives and Enhancements to CAs for a Secure Web

CASCouncil
CASCouncil

Alternatives and Enhancements to CAs for a Secure Web RSA Europe deck by Ben WIlson, Digicert, Inc CA/Browser Forum and Eran Messeri, Google

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
Alternatives and Enhancements to CAs for a Secure Web Ben Wilson Digicert, Inc. - CA/Browser Forum Eran Messeri Google Session ID: ARCH-R01 Session Classification: Intermediate
Current Web PKI System ►OS / Browsers have Managed PKI Deployment for Almost 20 Years ►CAs expected to implement high-security practices ► Trust model re-examined after CA operational security lapses in 2011 ► CA/Browser Forum continues to improve industry practices ►There are diverse opinions about “what’s best” ► But industry self-regulating mechanisms are in place. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
NIST Workshop in April 2013 “Improving Trust in the Online Marketplace” ► Reviewed current state and future of web PKI ► DNS-based Authentication of Named Entities (DANE) ► Certificate Transparency (CT) ► Other solutions such as pinning, CAA, and OCSP Stapling ► NIST Workshop Conclusions: ► No single solution is “best” because each is a different approach and addresses a different problem. ► Eventually a combination may provide better security, usability, reliability, simplicity, and privacy/liberty. ► Everyone keep working on these solutions, and we’ll continue the discussion on how to improve security of SSL/TLS. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Technology Overview #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Technology Overview, Slide 2 Web PKI Hierarchy DNSSEC PKI Hierarchy and DANE • Multiple Trust Anchors • 65 Root CAs in Mozilla • Browsers require CA security audits and CAs screen against misleading names and provide additional identity checks • Revocation with OCSP • Fewer dependencies and PKI for the web making incremental progress with Pinning, Certificate Transparency, OCSP Stapling • Single Root Zone CA • 300+TLDs & 1,000+ registrars • Variance in practice for security and vetting, potential “one stop shop” for an attacker, but scope of damage is limited • Revocation by DNS Update • Multiple dependencies – waiting until deployment of updates to BIND in stub resolvers, firewalls, routers, load balancers #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Web PKI vs. DANE/DNSSEC Certification Authority Authorization (CAA) $ORIGIN ben.com. . CAA 0 issue "digicert.com”; DANE Authorized Public CA _443._tcp.www.ben.com. IN TLSA 0 0 1 ( 7431e5f4c3c1ce4690774f0b61e05440883ba9a 01ed00ba6abd7806ed3b118cf ) Publicly Trusted SSL Certificate _443._tcp.www.ben.com. IN TLSA 1 0 1 ( 1fcfef7b328e78a9d79a04531abe0fa7c66f34b1f 39bf41dd63ecb0be881a411 ) Certificate Viewer #RSAC DNSSEC Record Session ID: ARCH-R01 Session Classification: Intermed.
What is Certificate Transparency (CT)? CT requires public logging of TLS/SSL certificates ► Goals of Certificate Transparency: ► Provide insight into issued SSL certificates ► Provide better remediation services ► Ensure CAs are aware of what they issue How does CT work? Merkle hash tree has two proofs : • Consistency proof verifies that a later log contains all certificates in previous log in same sequence. • Audit proof any chosen certificate has been included in the log. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Process Flow #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Key Points – Compatibility and Transparency ► Compatible with current PKI implementations ► Supported by Google and Several CAs ► Uses current specifications for SSL/TLS, path validation, and revocation checking ► Expands the existing system with logging and logchecking ► Public log shines broad light on CAs and Certificates ► Public log is “detection” in security ► Early detection leads to better/faster mitigation ► Info for researchers, domain owners, CAs, and browsers leading to greater public trust #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Summary – Certificate Transparency: ►Addresses vulnerabilities in current trust model ►Creates transparency and accountability ► Uses easily supported existing technologies • Avoids “unintended consequences” of unfamiliar technology ►Enhances existing self-regulating industry mechanisms like CA/Browser Forum and Web PKI ►Is moving toward broader implementation #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Take-Aways ►A secure, top-down chain of trust is integral to any web security solution. ►DANE requires end-to-end DNSSEC that doesn’t exist. ►The Web PKI of CAs and Browsers has provided secure SSL/TLS communication for nearly twenty years. ►All stakeholders in the online ecosystem continue to improve the security of SSL/TLS with enhancements. ►CT logging systems will publicly monitor CAs. ►CT is the best new technology for the Web PKI. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Thank you! Ben Wilson DigiCert and CA/Browser Forum @DigicertBen ben@digicert.com www.digicert.com Eran Messeri Google eranm@google.com http://www.certificate-transparency.org/ #RSAC

Empfohlen

F5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle Database
F5 Networks
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
Microsoft Azure
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 

Empfohlen

F5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle Database
F5 Networks
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
Microsoft Azure
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & Compliance
Nuno Godinho
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYC
Patrick Sklodowski
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
Runcy Oommen
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
Priyanka Aash
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
Mary Racter
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
Hantzley Tauckoor
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
Albert Campa
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Spring boot-vault
Spring boot-vaultSpring boot-vault
Spring boot-vault
Jan Dittberner
 
Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH Keys
Niall Sheridan
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
Kevin Gilpin
 
Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum
finance32
 
Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum
finance32
 

Weitere ähnliche Inhalte

Was ist angesagt?

Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
Albert Campa
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 

Was ist angesagt? (20)

Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & Compliance
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYC
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Spring boot-vault
Spring boot-vaultSpring boot-vault
Spring boot-vault
 
Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH Keys
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 

Andere mochten auch

Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum
finance32
 
Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum
finance32
 
Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum
finance32
 
Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum
finance32
 
Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum
finance32
 

Andere mochten auch (6)

Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum
 
Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum
 
Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum
 
Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum
 
Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
 

Ähnlich wie Alternatives and Enhancements to CAs for a Secure Web

Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Zeeve
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 

Ähnlich wie Alternatives and Enhancements to CAs for a Secure Web (20)

Tech t18
Tech t18Tech t18
Tech t18
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA Suite
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
ieeehs042204d
ieeehs042204dieeehs042204d
ieeehs042204d
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
 
Resume
ResumeResume
Resume
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
 

Mehr von CASCouncil

Mehr von CASCouncil (19)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Kürzlich hochgeladen (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Alternatives and Enhancements to CAs for a Secure Web

  • 1. Alternatives and Enhancements to CAs for a Secure Web Ben Wilson Digicert, Inc. - CA/Browser Forum Eran Messeri Google Session ID: ARCH-R01 Session Classification: Intermediate
  • 2. Current Web PKI System ►OS / Browsers have Managed PKI Deployment for Almost 20 Years ►CAs expected to implement high-security practices ► Trust model re-examined after CA operational security lapses in 2011 ► CA/Browser Forum continues to improve industry practices ►There are diverse opinions about “what’s best” ► But industry self-regulating mechanisms are in place. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 3. NIST Workshop in April 2013 “Improving Trust in the Online Marketplace” ► Reviewed current state and future of web PKI ► DNS-based Authentication of Named Entities (DANE) ► Certificate Transparency (CT) ► Other solutions such as pinning, CAA, and OCSP Stapling ► NIST Workshop Conclusions: ► No single solution is “best” because each is a different approach and addresses a different problem. ► Eventually a combination may provide better security, usability, reliability, simplicity, and privacy/liberty. ► Everyone keep working on these solutions, and we’ll continue the discussion on how to improve security of SSL/TLS. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 4. Technology Overview #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 5. Technology Overview, Slide 2 Web PKI Hierarchy DNSSEC PKI Hierarchy and DANE • Multiple Trust Anchors • 65 Root CAs in Mozilla • Browsers require CA security audits and CAs screen against misleading names and provide additional identity checks • Revocation with OCSP • Fewer dependencies and PKI for the web making incremental progress with Pinning, Certificate Transparency, OCSP Stapling • Single Root Zone CA • 300+TLDs & 1,000+ registrars • Variance in practice for security and vetting, potential “one stop shop” for an attacker, but scope of damage is limited • Revocation by DNS Update • Multiple dependencies – waiting until deployment of updates to BIND in stub resolvers, firewalls, routers, load balancers #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 6. Web PKI vs. DANE/DNSSEC Certification Authority Authorization (CAA) $ORIGIN ben.com. . CAA 0 issue "digicert.com”; DANE Authorized Public CA _443._tcp.www.ben.com. IN TLSA 0 0 1 ( 7431e5f4c3c1ce4690774f0b61e05440883ba9a 01ed00ba6abd7806ed3b118cf ) Publicly Trusted SSL Certificate _443._tcp.www.ben.com. IN TLSA 1 0 1 ( 1fcfef7b328e78a9d79a04531abe0fa7c66f34b1f 39bf41dd63ecb0be881a411 ) Certificate Viewer #RSAC DNSSEC Record Session ID: ARCH-R01 Session Classification: Intermed.
  • 7. What is Certificate Transparency (CT)? CT requires public logging of TLS/SSL certificates ► Goals of Certificate Transparency: ► Provide insight into issued SSL certificates ► Provide better remediation services ► Ensure CAs are aware of what they issue How does CT work? Merkle hash tree has two proofs : • Consistency proof verifies that a later log contains all certificates in previous log in same sequence. • Audit proof any chosen certificate has been included in the log. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 8. Process Flow #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 9. Key Points – Compatibility and Transparency ► Compatible with current PKI implementations ► Supported by Google and Several CAs ► Uses current specifications for SSL/TLS, path validation, and revocation checking ► Expands the existing system with logging and logchecking ► Public log shines broad light on CAs and Certificates ► Public log is “detection” in security ► Early detection leads to better/faster mitigation ► Info for researchers, domain owners, CAs, and browsers leading to greater public trust #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 10. Summary – Certificate Transparency: ►Addresses vulnerabilities in current trust model ►Creates transparency and accountability ► Uses easily supported existing technologies • Avoids “unintended consequences” of unfamiliar technology ►Enhances existing self-regulating industry mechanisms like CA/Browser Forum and Web PKI ►Is moving toward broader implementation #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 11. Take-Aways ►A secure, top-down chain of trust is integral to any web security solution. ►DANE requires end-to-end DNSSEC that doesn’t exist. ►The Web PKI of CAs and Browsers has provided secure SSL/TLS communication for nearly twenty years. ►All stakeholders in the online ecosystem continue to improve the security of SSL/TLS with enhancements. ►CT logging systems will publicly monitor CAs. ►CT is the best new technology for the Web PKI. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 12. Thank you! Ben Wilson DigiCert and CA/Browser Forum @DigicertBen ben@digicert.com www.digicert.com Eran Messeri Google eranm@google.com http://www.certificate-transparency.org/ #RSAC