SlideShare ist ein Scribd-Unternehmen logo
1 von 13
Downloaden Sie, um offline zu lesen
sales@digicert.com www.digicert.com +1 (801) 877-2100
Certificates, Revocation and
the new gTLD's Oh My!
Dan Timpson
Focus
● What is a Certificate Authority?
● Current situation with gTLD's and internal
names
● Action taken so far
● Recommendations
• CA generates “roots” in secure
environment – ceremony, video recorded,
audited, keys on HSMs
• CA undergoes rigorous third party audit
of operations and policy
• CA private keys are held under extreme
protections and used to sign web site
certificates and status information
• CA applies for corresponding root
certificates to be included into trusted
root stores
• CA policy and operations must comply
with Browser root store rules in order to
be trusted by default - distributed by
software updates
What is a Certificate Authority?
• When issuing a SSL/TLS cert to a web site, the CA verifies
certain information relating to ownership of the site with the
respective domain and verifies control of keys being used.
– This minimal validation is called Domain Validation or DV
– While DV certificates verify the consent of a domain owner, they
make no attempt to verify who the domain owner really is.
• Stronger verification of site and domain ownership and
controls for the organizations to which certs are issued
allows issuance of higher assurance SSL certificates
– This additional validation is called Organization Validation or OV
– Additional checks include that they are registered and in good standing
with their respective governments etc.
What is a Certificate Authority?
• The strongest verification of site and domain ownership
with multiple verification of direct contacts etc., allows
issuance of the highest standard of assurance for SSL
certificates
– This highest tier of verification is called Extended Validation or EV
– EV issued certs are recognized in browser GUI e.g. green bar
What is a Certificate Authority?
• CA provides certs (DV or OV or EV) to customers
chaining to trusted roots embedded in Operating
Systems and Browsers
• CA Customers (Site Operators) install certs on their
servers for secure web pages
• Users (clients of CA Customers) go to secure web pages
HTTPS://, User Agent checks for CA’s root inclusion in
browser trusted root store
• If CA’s root is in browser’s trusted store:
encrypted session, favorable padlock
UI (including EV green bar)
What is a Certificate Authority
• If CA root not in client trusted root store
for browser – warning displayed
• CAs and browsers have the ability to
revoke roots, sub-CAs, and certificates
for any problems
• CAs publish revocation lists (CRLs) or
provide updated certificate status
information online (OCSP)
• If certificate revoked or expired – warning
displayed
• CAs must complete annual audits and
follow CA/B Forum rules to remain in
browser trusted root stores
• Stronger rules and higher CA standards
are set for green Extended Validations or
“EV” display
What is a Certificate Authority
Revocation info
● All browsers perform some level of certificate
revocation checking
● All CA's must provide revocation information
via OCSP
● OCSP cache times vary by browser with the
longest cache time of 7 days
● OCSP stapling provides OCSP response
with the certificate
– Most current server distributions support stapling
Background - Internal names
● Prevalent use of internal name certs
● Estimate is ~11,000 certificates issued
against internal names
● Common/recommended practice until 2011
Why is this a problem?
● Collisions
– Many servers are configured this way
– Different experience externally
● Security
– Potential for man-in-the-middle attacks
– 5 year attack opportunity on organizations with that
domain
Action taken so far
● CA/B Forum's original baseline requirements mandated
that all internal certs expire or are revoked by 2015
– Based on server operator feedback and businesses
● Roadblocks include policy, cost and training
● CA/B Forum approached by ICANN
– CA/B Forum passed a ballot – Feb 20, 2013
– Accelerates the deprecation from 5 years down to 120 days after the
relevant gTLD contract is published.
– 120 days is required for large volumes (Top 10%)
● Mozilla.org has adopted the revised requirements
– July 31st All CA's must comply to remain in the trust store
Action taken so far
● CASC – Was formed by CA's to improve
education, marketing and research
– Information on OCSP stapling
– Reconfiguring servers with public FQDN's
● Avoiding Collisions
– Digicert and other CA's are actively working to
migrate customers off internal names
● Communicating with customers
● Only solves training doesn't reduce cost
● Digicert Internal Name Tool
Recommendations for ICANN
● Don't approve the names that are most commonly
used in internal certs until 2015
– Digicert Letter (.corp gTLD)
– PayPal letter
● Approve the application but delay the delegation
until 2015
● Remaining 90% can move forward with minimal
impact
● Security issues with certs is effectively resolved

Weitere ähnliche Inhalte

Ähnlich wie Certificates, Revocation and the new gTLD's Oh My!

Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsBlytheco
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesDigiCert, Inc.
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsJim Kaplan CIA CFE
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltdclarkems
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformSalesforce Developers
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All CertificatesPedro Santos
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationSebastian Wagner
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youCloudflare
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Amazon Web Services
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunVishwas Manral
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dAmy Blanchard
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Precisely
 

Ähnlich wie Certificates, Revocation and the new gTLD's Oh My! (20)

Tech t18
Tech t18Tech t18
Tech t18
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the Solutions
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
 
2012 ah vegas guest access fundamentals
2012 ah vegas   guest access fundamentals2012 ah vegas   guest access fundamentals
2012 ah vegas guest access fundamentals
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com Platform
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All Certificates
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015d
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
 

Mehr von CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security  CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI CASCouncil
 

Mehr von CASCouncil (18)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security  CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Kürzlich hochgeladen

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 

Kürzlich hochgeladen (20)

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 

Certificates, Revocation and the new gTLD's Oh My!

  • 1. sales@digicert.com www.digicert.com +1 (801) 877-2100 Certificates, Revocation and the new gTLD's Oh My! Dan Timpson
  • 2. Focus ● What is a Certificate Authority? ● Current situation with gTLD's and internal names ● Action taken so far ● Recommendations
  • 3. • CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs • CA undergoes rigorous third party audit of operations and policy • CA private keys are held under extreme protections and used to sign web site certificates and status information • CA applies for corresponding root certificates to be included into trusted root stores • CA policy and operations must comply with Browser root store rules in order to be trusted by default - distributed by software updates What is a Certificate Authority?
  • 4. • When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. – This minimal validation is called Domain Validation or DV – While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. • Stronger verification of site and domain ownership and controls for the organizations to which certs are issued allows issuance of higher assurance SSL certificates – This additional validation is called Organization Validation or OV – Additional checks include that they are registered and in good standing with their respective governments etc. What is a Certificate Authority?
  • 5. • The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates – This highest tier of verification is called Extended Validation or EV – EV issued certs are recognized in browser GUI e.g. green bar What is a Certificate Authority?
  • 6. • CA provides certs (DV or OV or EV) to customers chaining to trusted roots embedded in Operating Systems and Browsers • CA Customers (Site Operators) install certs on their servers for secure web pages • Users (clients of CA Customers) go to secure web pages HTTPS://, User Agent checks for CA’s root inclusion in browser trusted root store • If CA’s root is in browser’s trusted store: encrypted session, favorable padlock UI (including EV green bar) What is a Certificate Authority
  • 7. • If CA root not in client trusted root store for browser – warning displayed • CAs and browsers have the ability to revoke roots, sub-CAs, and certificates for any problems • CAs publish revocation lists (CRLs) or provide updated certificate status information online (OCSP) • If certificate revoked or expired – warning displayed • CAs must complete annual audits and follow CA/B Forum rules to remain in browser trusted root stores • Stronger rules and higher CA standards are set for green Extended Validations or “EV” display What is a Certificate Authority
  • 8. Revocation info ● All browsers perform some level of certificate revocation checking ● All CA's must provide revocation information via OCSP ● OCSP cache times vary by browser with the longest cache time of 7 days ● OCSP stapling provides OCSP response with the certificate – Most current server distributions support stapling
  • 9. Background - Internal names ● Prevalent use of internal name certs ● Estimate is ~11,000 certificates issued against internal names ● Common/recommended practice until 2011
  • 10. Why is this a problem? ● Collisions – Many servers are configured this way – Different experience externally ● Security – Potential for man-in-the-middle attacks – 5 year attack opportunity on organizations with that domain
  • 11. Action taken so far ● CA/B Forum's original baseline requirements mandated that all internal certs expire or are revoked by 2015 – Based on server operator feedback and businesses ● Roadblocks include policy, cost and training ● CA/B Forum approached by ICANN – CA/B Forum passed a ballot – Feb 20, 2013 – Accelerates the deprecation from 5 years down to 120 days after the relevant gTLD contract is published. – 120 days is required for large volumes (Top 10%) ● Mozilla.org has adopted the revised requirements – July 31st All CA's must comply to remain in the trust store
  • 12. Action taken so far ● CASC – Was formed by CA's to improve education, marketing and research – Information on OCSP stapling – Reconfiguring servers with public FQDN's ● Avoiding Collisions – Digicert and other CA's are actively working to migrate customers off internal names ● Communicating with customers ● Only solves training doesn't reduce cost ● Digicert Internal Name Tool
  • 13. Recommendations for ICANN ● Don't approve the names that are most commonly used in internal certs until 2015 – Digicert Letter (.corp gTLD) – PayPal letter ● Approve the application but delay the delegation until 2015 ● Remaining 90% can move forward with minimal impact ● Security issues with certs is effectively resolved