SlideShare una empresa de Scribd logo

Alternatives and Enhancements to CAs for a Secure Web

CASCouncil
CASCouncil

Alternatives and Enhancements to CAs for a Secure Web RSA Europe deck by Ben WIlson, Digicert, Inc CA/Browser Forum and Eran Messeri, Google

Tecnología
1 de 12
Descargar para leer sin conexión
Alternatives and Enhancements to CAs for a Secure Web Ben Wilson Digicert, Inc. - CA/Browser Forum Eran Messeri Google Session ID: ARCH-R01 Session Classification: Intermediate
Current Web PKI System ►OS / Browsers have Managed PKI Deployment for Almost 20 Years ►CAs expected to implement high-security practices ► Trust model re-examined after CA operational security lapses in 2011 ► CA/Browser Forum continues to improve industry practices ►There are diverse opinions about “what’s best” ► But industry self-regulating mechanisms are in place. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
NIST Workshop in April 2013 “Improving Trust in the Online Marketplace” ► Reviewed current state and future of web PKI ► DNS-based Authentication of Named Entities (DANE) ► Certificate Transparency (CT) ► Other solutions such as pinning, CAA, and OCSP Stapling ► NIST Workshop Conclusions: ► No single solution is “best” because each is a different approach and addresses a different problem. ► Eventually a combination may provide better security, usability, reliability, simplicity, and privacy/liberty. ► Everyone keep working on these solutions, and we’ll continue the discussion on how to improve security of SSL/TLS. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Technology Overview #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Technology Overview, Slide 2 Web PKI Hierarchy DNSSEC PKI Hierarchy and DANE • Multiple Trust Anchors • 65 Root CAs in Mozilla • Browsers require CA security audits and CAs screen against misleading names and provide additional identity checks • Revocation with OCSP • Fewer dependencies and PKI for the web making incremental progress with Pinning, Certificate Transparency, OCSP Stapling • Single Root Zone CA • 300+TLDs & 1,000+ registrars • Variance in practice for security and vetting, potential “one stop shop” for an attacker, but scope of damage is limited • Revocation by DNS Update • Multiple dependencies – waiting until deployment of updates to BIND in stub resolvers, firewalls, routers, load balancers #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Web PKI vs. DANE/DNSSEC Certification Authority Authorization (CAA) $ORIGIN ben.com. . CAA 0 issue "digicert.com”; DANE Authorized Public CA _443._tcp.www.ben.com. IN TLSA 0 0 1 ( 7431e5f4c3c1ce4690774f0b61e05440883ba9a 01ed00ba6abd7806ed3b118cf ) Publicly Trusted SSL Certificate _443._tcp.www.ben.com. IN TLSA 1 0 1 ( 1fcfef7b328e78a9d79a04531abe0fa7c66f34b1f 39bf41dd63ecb0be881a411 ) Certificate Viewer #RSAC DNSSEC Record Session ID: ARCH-R01 Session Classification: Intermed.
What is Certificate Transparency (CT)? CT requires public logging of TLS/SSL certificates ► Goals of Certificate Transparency: ► Provide insight into issued SSL certificates ► Provide better remediation services ► Ensure CAs are aware of what they issue How does CT work? Merkle hash tree has two proofs : • Consistency proof verifies that a later log contains all certificates in previous log in same sequence. • Audit proof any chosen certificate has been included in the log. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Process Flow #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Key Points – Compatibility and Transparency ► Compatible with current PKI implementations ► Supported by Google and Several CAs ► Uses current specifications for SSL/TLS, path validation, and revocation checking ► Expands the existing system with logging and logchecking ► Public log shines broad light on CAs and Certificates ► Public log is “detection” in security ► Early detection leads to better/faster mitigation ► Info for researchers, domain owners, CAs, and browsers leading to greater public trust #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Summary – Certificate Transparency: ►Addresses vulnerabilities in current trust model ►Creates transparency and accountability ► Uses easily supported existing technologies • Avoids “unintended consequences” of unfamiliar technology ►Enhances existing self-regulating industry mechanisms like CA/Browser Forum and Web PKI ►Is moving toward broader implementation #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Take-Aways ►A secure, top-down chain of trust is integral to any web security solution. ►DANE requires end-to-end DNSSEC that doesn’t exist. ►The Web PKI of CAs and Browsers has provided secure SSL/TLS communication for nearly twenty years. ►All stakeholders in the online ecosystem continue to improve the security of SSL/TLS with enhancements. ►CT logging systems will publicly monitor CAs. ►CT is the best new technology for the Web PKI. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
Thank you! Ben Wilson DigiCert and CA/Browser Forum @DigicertBen ben@digicert.com www.digicert.com Eran Messeri Google eranm@google.com http://www.certificate-transparency.org/ #RSAC

Recomendados

F5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 

Recomendados

F5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCPatrick Sklodowski
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesPriyanka Aash
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementMary Racter
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Spring boot-vault
Spring boot-vaultSpring boot-vault
Spring boot-vaultJan Dittberner
 
Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysNiall Sheridan
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 
Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum finance32
 
Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum finance32
 

Más contenido relacionado

La actualidad más candente

Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCPatrick Sklodowski
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesPriyanka Aash
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementMary Racter
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysNiall Sheridan
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 

La actualidad más candente (20)

Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & Compliance
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYC
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
Designing Virtual Network Security Architectures
Designing Virtual Network Security ArchitecturesDesigning Virtual Network Security Architectures
Designing Virtual Network Security Architectures
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Spring boot-vault
Spring boot-vaultSpring boot-vault
Spring boot-vault
 
Managing SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH KeysManaging SSH Acccess Without Managing SSH Keys
Managing SSH Acccess Without Managing SSH Keys
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 

Destacado

Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum finance32
 
Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum finance32
 
Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum finance32
 
Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum finance32
 
Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum finance32
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 

Destacado (6)

Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum Form_8-K_2008-04-17reliance steel & aluminum
Form_8-K_2008-04-17reliance steel & aluminum
 
Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum Form_8-K_2008-07-17areliance steel & aluminum
Form_8-K_2008-07-17areliance steel & aluminum
 
Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum Form_8-K_2007-10-18reliance steel & aluminum
Form_8-K_2007-10-18reliance steel & aluminum
 
Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum Form_8-K_2008-10-16reliance steel & aluminum
Form_8-K_2008-10-16reliance steel & aluminum
 
Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum Form_8-K_2009-02-19reliance steel & aluminum
Form_8-K_2009-02-19reliance steel & aluminum
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
 

Similar a Alternatives and Enhancements to CAs for a Secure Web

DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 

Similar a Alternatives and Enhancements to CAs for a Secure Web (20)

Tech t18
Tech t18Tech t18
Tech t18
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA Suite
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
ieeehs042204d
ieeehs042204dieeehs042204d
ieeehs042204d
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
 
Resume
ResumeResume
Resume
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
 

Más de CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI CASCouncil
 

Más de CASCouncil (19)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Alternatives and Enhancements to CAs for a Secure Web

  • 1. Alternatives and Enhancements to CAs for a Secure Web Ben Wilson Digicert, Inc. - CA/Browser Forum Eran Messeri Google Session ID: ARCH-R01 Session Classification: Intermediate
  • 2. Current Web PKI System ►OS / Browsers have Managed PKI Deployment for Almost 20 Years ►CAs expected to implement high-security practices ► Trust model re-examined after CA operational security lapses in 2011 ► CA/Browser Forum continues to improve industry practices ►There are diverse opinions about “what’s best” ► But industry self-regulating mechanisms are in place. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 3. NIST Workshop in April 2013 “Improving Trust in the Online Marketplace” ► Reviewed current state and future of web PKI ► DNS-based Authentication of Named Entities (DANE) ► Certificate Transparency (CT) ► Other solutions such as pinning, CAA, and OCSP Stapling ► NIST Workshop Conclusions: ► No single solution is “best” because each is a different approach and addresses a different problem. ► Eventually a combination may provide better security, usability, reliability, simplicity, and privacy/liberty. ► Everyone keep working on these solutions, and we’ll continue the discussion on how to improve security of SSL/TLS. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 4. Technology Overview #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 5. Technology Overview, Slide 2 Web PKI Hierarchy DNSSEC PKI Hierarchy and DANE • Multiple Trust Anchors • 65 Root CAs in Mozilla • Browsers require CA security audits and CAs screen against misleading names and provide additional identity checks • Revocation with OCSP • Fewer dependencies and PKI for the web making incremental progress with Pinning, Certificate Transparency, OCSP Stapling • Single Root Zone CA • 300+TLDs & 1,000+ registrars • Variance in practice for security and vetting, potential “one stop shop” for an attacker, but scope of damage is limited • Revocation by DNS Update • Multiple dependencies – waiting until deployment of updates to BIND in stub resolvers, firewalls, routers, load balancers #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 6. Web PKI vs. DANE/DNSSEC Certification Authority Authorization (CAA) $ORIGIN ben.com. . CAA 0 issue "digicert.com”; DANE Authorized Public CA _443._tcp.www.ben.com. IN TLSA 0 0 1 ( 7431e5f4c3c1ce4690774f0b61e05440883ba9a 01ed00ba6abd7806ed3b118cf ) Publicly Trusted SSL Certificate _443._tcp.www.ben.com. IN TLSA 1 0 1 ( 1fcfef7b328e78a9d79a04531abe0fa7c66f34b1f 39bf41dd63ecb0be881a411 ) Certificate Viewer #RSAC DNSSEC Record Session ID: ARCH-R01 Session Classification: Intermed.
  • 7. What is Certificate Transparency (CT)? CT requires public logging of TLS/SSL certificates ► Goals of Certificate Transparency: ► Provide insight into issued SSL certificates ► Provide better remediation services ► Ensure CAs are aware of what they issue How does CT work? Merkle hash tree has two proofs : • Consistency proof verifies that a later log contains all certificates in previous log in same sequence. • Audit proof any chosen certificate has been included in the log. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 8. Process Flow #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 9. Key Points – Compatibility and Transparency ► Compatible with current PKI implementations ► Supported by Google and Several CAs ► Uses current specifications for SSL/TLS, path validation, and revocation checking ► Expands the existing system with logging and logchecking ► Public log shines broad light on CAs and Certificates ► Public log is “detection” in security ► Early detection leads to better/faster mitigation ► Info for researchers, domain owners, CAs, and browsers leading to greater public trust #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 10. Summary – Certificate Transparency: ►Addresses vulnerabilities in current trust model ►Creates transparency and accountability ► Uses easily supported existing technologies • Avoids “unintended consequences” of unfamiliar technology ►Enhances existing self-regulating industry mechanisms like CA/Browser Forum and Web PKI ►Is moving toward broader implementation #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 11. Take-Aways ►A secure, top-down chain of trust is integral to any web security solution. ►DANE requires end-to-end DNSSEC that doesn’t exist. ►The Web PKI of CAs and Browsers has provided secure SSL/TLS communication for nearly twenty years. ►All stakeholders in the online ecosystem continue to improve the security of SSL/TLS with enhancements. ►CT logging systems will publicly monitor CAs. ►CT is the best new technology for the Web PKI. #RSAC Session ID: ARCH-R01 Session Classification: Intermed.
  • 12. Thank you! Ben Wilson DigiCert and CA/Browser Forum @DigicertBen ben@digicert.com www.digicert.com Eran Messeri Google eranm@google.com http://www.certificate-transparency.org/ #RSAC