SlideShare una empresa de Scribd logo

CAParty Madrid 2010 - Slides

Juanjo Amor
Juanjo Amor

CAParty Madrid 2010 - Slides More info: http://caparty.geek.org.es/ http://www.cacert.org/

Tecnología
1 de 14
Descargar para leer sin conexión
The PKI CACert CACert A Community-driven Certification Authority Juanjo Amor / Antonio Pe˜a n jjamor@gmail.com apenav@gmail.com 14 October 2011 Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert (cc) 2011 Juanjo Amor, Antonio Pe˜a and Wikipedia n Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI diagram of a public key infrastructure Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert PKI example 2: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing ... When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor / Antonio Pe˜a n CACert
The PKI CACert Let’s start!! Let’s start!! Juanjo Amor / Antonio Pe˜a n CACert

Recomendados

Migración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a OpensolarisMigración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a Opensolaris
Juanjo Amor
 
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Juanjo Amor
 
The Near Future of CSS
The Near Future of CSSThe Near Future of CSS
The Near Future of CSS
Rachel Andrew
 
Classroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and AdolescentsClassroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and Adolescents
Shelly Sanchez Terrell
 
The Presentation Come-Back Kid
The Presentation Come-Back KidThe Presentation Come-Back Kid
The Presentation Come-Back Kid
Ethos3
 
The Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris LemaThe Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris Lema
Chris Lema
 
CACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemasCACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemas
OpenSistemas
 
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
Taisuke Yamada
 

Recomendados

Migración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a OpensolarisMigración de Sistemas de Gnome-Hispano a Opensolaris
Migración de Sistemas de Gnome-Hispano a Opensolaris
Juanjo Amor
 
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Osor Launch, presentation at Open Source World Conference 2008 (Málaga, Octob...
Juanjo Amor
 
The Near Future of CSS
The Near Future of CSSThe Near Future of CSS
The Near Future of CSS
Rachel Andrew
 
Classroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and AdolescentsClassroom Management Tips for Kids and Adolescents
Classroom Management Tips for Kids and Adolescents
Shelly Sanchez Terrell
 
The Presentation Come-Back Kid
The Presentation Come-Back KidThe Presentation Come-Back Kid
The Presentation Come-Back Kid
Ethos3
 
The Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris LemaThe Buyer's Journey - by Chris Lema
The Buyer's Journey - by Chris Lema
Chris Lema
 
CACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemasCACert - A Community-driven Certification Authority - OpenSistemas
CACert - A Community-driven Certification Authority - OpenSistemas
OpenSistemas
 
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
The CAcert Project - An Invitation to CAcert ATE in OSC/Tokyo 2011 (EN)
Taisuke Yamada
 
Jerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.pptJerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.ppt
SmeetaJavalagi
 
Jerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).pptJerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).ppt
MehediHasanShaon1
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Becoming a blockchain professional
Becoming a blockchain professionalBecoming a blockchain professional
Becoming a blockchain professional
Portia Burton
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?
CheapSSLsecurity
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
Vertoda System
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
Pankaj Rane
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
Conferencias FIST
 
Explain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdfExplain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdf
ashokarians
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
kieranjacobsen
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
Michał Wcisło
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
Michele Orru'
 
Presentation
PresentationPresentation
Presentation
CIRservices
 
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CJ Prestoza
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 

Más contenido relacionado

Similar a CAParty Madrid 2010 - Slides

Jerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).pptJerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).ppt
MehediHasanShaon1
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
Pankaj Rane
 
Explain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdfExplain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdf
ashokarians
 

Similar a CAParty Madrid 2010 - Slides (20)

Jerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.pptJerad Bates - Public Key Infrastructure.ppt
Jerad Bates - Public Key Infrastructure.ppt
 
Jerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).pptJerad Bates - Public Key Infrastructure (1).ppt
Jerad Bates - Public Key Infrastructure (1).ppt
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Becoming a blockchain professional
Becoming a blockchain professionalBecoming a blockchain professional
Becoming a blockchain professional
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Certification authority
Certification authorityCertification authority
Certification authority
 
What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?What is Certificate Transparency (CT)? How does it work?
What is Certificate Transparency (CT)? How does it work?
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Explain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdfExplain the role of the certificate authority and registration autho.pdf
Explain the role of the certificate authority and registration autho.pdf
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
Presentation
PresentationPresentation
Presentation
 
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
CRYPTOCURRENCIES GUIDE (FROM COINS.PH TO BINANCE)
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

CAParty Madrid 2010 - Slides

  • 1. The PKI CACert CACert A Community-driven Certification Authority Juanjo Amor / Antonio Pe˜a n jjamor@gmail.com apenav@gmail.com 14 October 2011 Juanjo Amor / Antonio Pe˜a n CACert
  • 2. The PKI CACert (cc) 2011 Juanjo Amor, Antonio Pe˜a and Wikipedia n Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Juanjo Amor / Antonio Pe˜a n CACert
  • 3. The PKI CACert PKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor / Antonio Pe˜a n CACert
  • 4. The PKI CACert PKI diagram of a public key infrastructure Juanjo Amor / Antonio Pe˜a n CACert
  • 5. The PKI CACert PKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor / Antonio Pe˜a n CACert
  • 6. The PKI CACert PKI example 2: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor / Antonio Pe˜a n CACert
  • 7. The PKI CACert Web of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor / Antonio Pe˜a n CACert
  • 8. The PKI CACert CACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor / Antonio Pe˜a n CACert
  • 9. The PKI CACert CACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor / Antonio Pe˜a n CACert
  • 10. The PKI CACert CACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor / Antonio Pe˜a n CACert
  • 11. The PKI CACert CACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor / Antonio Pe˜a n CACert
  • 12. The PKI CACert CACert client certificates A client certificate is used to: Identify yourself to a web site Email signing ... When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor / Antonio Pe˜a n CACert
  • 13. The PKI CACert CACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor / Antonio Pe˜a n CACert
  • 14. The PKI CACert Let’s start!! Let’s start!! Juanjo Amor / Antonio Pe˜a n CACert