SlideShare ist ein Scribd-Unternehmen logo

CAParty Madrid 2010 - Slides

Juanjo Amor
Juanjo Amor

CAParty Madrid 2010 - Slides More info: http://caparty.geek.org.es/ http://www.cacert.org/

Technologie
1 von 14
Downloaden Sie, um offline zu lesen
The PKI CACert CACert A Community-driven Certification Authority Juanjo Amor / Antonio Pe˜a n jjamor@gmail.com apenav@gmail.com 14 October 2011 Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert (cc) 2011 Juanjo Amor, Antonio Pe˜a and Wikipedia n Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI diagram of a public key infrastructure Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI example 2: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing ... When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert Let’s start!! Let’s start!! Juanjo Amor / Antonio Pe˜a n CACert

Empfohlen

Migración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a OpensolarisMigración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a Opensolaris
Juanjo Amor
 
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Juanjo Amor
 
The Near Future of CSS
The Near Future of CSSThe Near Future of CSS
The Near Future of CSS
Rachel Andrew
 
Classroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and AdolescentsClassroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and Adolescents
Shelly Sanchez Terrell
 
The Presentation Come-Back Kid
The Presentation Come-Back KidThe Presentation Come-Back Kid
The Presentation Come-Back Kid
Ethos3
 
The Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris LemaThe Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris Lema
Chris Lema
 
CACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemasCACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemas
OpenSistemas
 
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
Taisuke Yamada
 

Empfohlen

Migración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a OpensolarisMigración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a Opensolaris
Juanjo Amor
 
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Juanjo Amor
 
The Near Future of CSS
The Near Future of CSSThe Near Future of CSS
The Near Future of CSS
Rachel Andrew
 
Classroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and AdolescentsClassroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and Adolescents
Shelly Sanchez Terrell
 
The Presentation Come-Back Kid
The Presentation Come-Back KidThe Presentation Come-Back Kid
The Presentation Come-Back Kid
Ethos3
 
The Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris LemaThe Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris Lema
Chris Lema
 
CACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemasCACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemas
OpenSistemas
 
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
Taisuke Yamada
 
Jerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.pptJerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.ppt
SmeetaJavalagi
 
Jerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).pptJerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).ppt
MehediHasanShaon1
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Becoming a blockchain professional
Becoming a blockchain professionalBecoming a blockchain professional
Becoming a blockchain professional
Portia Burton
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?
CheapSSLsecurity
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
Vertoda System
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
Pankaj Rane
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
Conferencias FIST
 
Explain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdfExplain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdf
ashokarians
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
kieranjacobsen
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
Michał Wcisło
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
Michele Orru'
 
Presentation
PresentationPresentation
Presentation
CIRservices
 
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CJ Prestoza
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
 

Weitere ähnliche Inhalte

Ähnlich wie CAParty Madrid 2010 - Slides

Jerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).pptJerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).ppt
MehediHasanShaon1
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
Pankaj Rane
 
Explain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdfExplain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdf
ashokarians
 

Ähnlich wie CAParty Madrid 2010 - Slides (20)

Jerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.pptJerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.ppt
 
Jerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).pptJerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).ppt
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Becoming a blockchain professional
Becoming a blockchain professionalBecoming a blockchain professional
Becoming a blockchain professional
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Certification authority
Certification authorityCertification authority
Certification authority
 
What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Explain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdfExplain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdf
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
Presentation
PresentationPresentation
Presentation
 
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

CAParty Madrid 2010 - Slides

  • 1. The PKI CACert CACert A Community-driven Certification Authority Juanjo Amor / Antonio Pe˜a n jjamor@gmail.com apenav@gmail.com 14 October 2011 Juanjo Amor / Antonio Pe˜a n CACert
  • 2. The PKI CACert (cc) 2011 Juanjo Amor, Antonio Pe˜a and Wikipedia n Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Juanjo Amor / Antonio Pe˜a n CACert
  • 3. The PKI CACert PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor / Antonio Pe˜a n CACert
  • 4. The PKI CACert PKI diagram of a public key infrastructure Juanjo Amor / Antonio Pe˜a n CACert
  • 5. The PKI CACert PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor / Antonio Pe˜a n CACert
  • 6. The PKI CACert PKI example 2: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor / Antonio Pe˜a n CACert
  • 7. The PKI CACert Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor / Antonio Pe˜a n CACert
  • 8. The PKI CACert CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor / Antonio Pe˜a n CACert
  • 9. The PKI CACert CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor / Antonio Pe˜a n CACert
  • 10. The PKI CACert CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor / Antonio Pe˜a n CACert
  • 11. The PKI CACert CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor / Antonio Pe˜a n CACert
  • 12. The PKI CACert CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing ... When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor / Antonio Pe˜a n CACert
  • 13. The PKI CACert CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor / Antonio Pe˜a n CACert
  • 14. The PKI CACert Let’s start!! Let’s start!! Juanjo Amor / Antonio Pe˜a n CACert