SlideShare uma empresa Scribd logo

Certificates, Revocation and the new gTLD's Oh My!

CASCouncil
CASCouncil

CASC member Dan Timpson's discussion of certificates, revocation and the new gTLDs at ICANN in July 2013

Tecnologia
1 de 13
Baixar para ler offline
sales@digicert.com www.digicert.com +1 (801) 877-2100 Certificates, Revocation and the new gTLD's Oh My! Dan Timpson
Focus ● What is a Certificate Authority? ● Current situation with gTLD's and internal names ● Action taken so far ● Recommendations
• CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs • CA undergoes rigorous third party audit of operations and policy • CA private keys are held under extreme protections and used to sign web site certificates and status information • CA applies for corresponding root certificates to be included into trusted root stores • CA policy and operations must comply with Browser root store rules in order to be trusted by default - distributed by software updates What is a Certificate Authority?
• When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. – This minimal validation is called Domain Validation or DV – While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. • Stronger verification of site and domain ownership and controls for the organizations to which certs are issued allows issuance of higher assurance SSL certificates – This additional validation is called Organization Validation or OV – Additional checks include that they are registered and in good standing with their respective governments etc. What is a Certificate Authority?
• The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates – This highest tier of verification is called Extended Validation or EV – EV issued certs are recognized in browser GUI e.g. green bar What is a Certificate Authority?
• CA provides certs (DV or OV or EV) to customers chaining to trusted roots embedded in Operating Systems and Browsers • CA Customers (Site Operators) install certs on their servers for secure web pages • Users (clients of CA Customers) go to secure web pages HTTPS://, User Agent checks for CA’s root inclusion in browser trusted root store • If CA’s root is in browser’s trusted store: encrypted session, favorable padlock UI (including EV green bar) What is a Certificate Authority
• If CA root not in client trusted root store for browser – warning displayed • CAs and browsers have the ability to revoke roots, sub-CAs, and certificates for any problems • CAs publish revocation lists (CRLs) or provide updated certificate status information online (OCSP) • If certificate revoked or expired – warning displayed • CAs must complete annual audits and follow CA/B Forum rules to remain in browser trusted root stores • Stronger rules and higher CA standards are set for green Extended Validations or “EV” display What is a Certificate Authority
Revocation info ● All browsers perform some level of certificate revocation checking ● All CA's must provide revocation information via OCSP ● OCSP cache times vary by browser with the longest cache time of 7 days ● OCSP stapling provides OCSP response with the certificate – Most current server distributions support stapling
Background - Internal names ● Prevalent use of internal name certs ● Estimate is ~11,000 certificates issued against internal names ● Common/recommended practice until 2011
Why is this a problem? ● Collisions – Many servers are configured this way – Different experience externally ● Security – Potential for man-in-the-middle attacks – 5 year attack opportunity on organizations with that domain
Action taken so far ● CA/B Forum's original baseline requirements mandated that all internal certs expire or are revoked by 2015 – Based on server operator feedback and businesses ● Roadblocks include policy, cost and training ● CA/B Forum approached by ICANN – CA/B Forum passed a ballot – Feb 20, 2013 – Accelerates the deprecation from 5 years down to 120 days after the relevant gTLD contract is published. – 120 days is required for large volumes (Top 10%) ● Mozilla.org has adopted the revised requirements – July 31st All CA's must comply to remain in the trust store
Action taken so far ● CASC – Was formed by CA's to improve education, marketing and research – Information on OCSP stapling – Reconfiguring servers with public FQDN's ● Avoiding Collisions – Digicert and other CA's are actively working to migrate customers off internal names ● Communicating with customers ● Only solves training doesn't reduce cost ● Digicert Internal Name Tool
Recommendations for ICANN ● Don't approve the names that are most commonly used in internal certs until 2015 – Digicert Letter (.corp gTLD) – PayPal letter ● Approve the application but delay the delegation until 2015 ● Remaining 90% can move forward with minimal impact ● Security issues with certs is effectively resolved

Recomendados

eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder
 
IWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down UnderIWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down Under
IWMW
 
Solo Small Business Gateway
Solo Small Business GatewaySolo Small Business Gateway
Solo Small Business Gateway
SOLO Gateway
 
Social Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSocial Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage Brokers
Sandra Pigram
 
Final project
Final projectFinal project
Final project
allison garfield
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglas
Sandra Pigram
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
CASCouncil
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 

Recomendados

eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder Expert Series Webinar — Whiteboard Session: Comparing Replibit, Shado...
eFolder
 
IWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down UnderIWMW 2001: PKI: the View from Down Under
IWMW 2001: PKI: the View from Down Under
IWMW
 
Solo Small Business Gateway
Solo Small Business GatewaySolo Small Business Gateway
Solo Small Business Gateway
SOLO Gateway
 
Social Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage BrokersSocial Media to grow your business - for Mortgage Brokers
Social Media to grow your business - for Mortgage Brokers
Sandra Pigram
 
Final project
Final projectFinal project
Final project
allison garfield
 
Craig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglasCraig James Presentation - Back to Normal #nMBPortDouglas
Craig James Presentation - Back to Normal #nMBPortDouglas
Sandra Pigram
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
CASCouncil
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Tech t18
Tech t18Tech t18
Tech t18
SelectedPresentations
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the Solutions
Blytheco
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
DigiCert, Inc.
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
Jim Kaplan CIA CFE
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
clarkems
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
ReliqusConsulting
 
2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals
Aruba, a Hewlett Packard Enterprise company
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle Developers
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com Platform
Salesforce Developers
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All Certificates
Pedro Santos
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
Sebastian Wagner
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015d
Amy Blanchard
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
CASCouncil
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
CASCouncil
 

Mais conteúdo relacionado

Semelhante a Certificates, Revocation and the new gTLD's Oh My!

Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
DigiCert, Inc.
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
Jim Kaplan CIA CFE
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
clarkems
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All Certificates
Pedro Santos
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
Sebastian Wagner
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 

Semelhante a Certificates, Revocation and the new gTLD's Oh My! (20)

Tech t18
Tech t18Tech t18
Tech t18
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
Taking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the SolutionsTaking Sage 500 to Sage X3: Comparing the Solutions
Taking Sage 500 to Sage X3: Comparing the Solutions
 
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce SitesCraig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
Craig Spiezle - How Does Your Site Rank? Audit of the Top 500 Ecommerce Sites
 
Cyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense MechanismsCyber Security - Boundary Defense Mechanisms
Cyber Security - Boundary Defense Mechanisms
 
Qtility software ltd
Qtility software ltdQtility software ltd
Qtility software ltd
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
 
2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
Introduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com PlatformIntroduction to WebRTC on the Force.com Platform
Introduction to WebRTC on the Force.com Platform
 
Info On All Certificates
Info On All CertificatesInfo On All Certificates
Info On All Certificates
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous IntegrationAutomating Deployment Between Orgs Using Git & Continuous Integration
Automating Deployment Between Orgs Using Git & Continuous Integration
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
 
Cisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015dCisco datacenter ucs-best-practices_ddebussc_2015d
Cisco datacenter ucs-best-practices_ddebussc_2015d
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 

Mais de CASCouncil

Mais de CASCouncil (18)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Certificates, Revocation and the new gTLD's Oh My!

  • 1. sales@digicert.com www.digicert.com +1 (801) 877-2100 Certificates, Revocation and the new gTLD's Oh My! Dan Timpson
  • 2. Focus ● What is a Certificate Authority? ● Current situation with gTLD's and internal names ● Action taken so far ● Recommendations
  • 3. • CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs • CA undergoes rigorous third party audit of operations and policy • CA private keys are held under extreme protections and used to sign web site certificates and status information • CA applies for corresponding root certificates to be included into trusted root stores • CA policy and operations must comply with Browser root store rules in order to be trusted by default - distributed by software updates What is a Certificate Authority?
  • 4. • When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. – This minimal validation is called Domain Validation or DV – While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. • Stronger verification of site and domain ownership and controls for the organizations to which certs are issued allows issuance of higher assurance SSL certificates – This additional validation is called Organization Validation or OV – Additional checks include that they are registered and in good standing with their respective governments etc. What is a Certificate Authority?
  • 5. • The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates – This highest tier of verification is called Extended Validation or EV – EV issued certs are recognized in browser GUI e.g. green bar What is a Certificate Authority?
  • 6. • CA provides certs (DV or OV or EV) to customers chaining to trusted roots embedded in Operating Systems and Browsers • CA Customers (Site Operators) install certs on their servers for secure web pages • Users (clients of CA Customers) go to secure web pages HTTPS://, User Agent checks for CA’s root inclusion in browser trusted root store • If CA’s root is in browser’s trusted store: encrypted session, favorable padlock UI (including EV green bar) What is a Certificate Authority
  • 7. • If CA root not in client trusted root store for browser – warning displayed • CAs and browsers have the ability to revoke roots, sub-CAs, and certificates for any problems • CAs publish revocation lists (CRLs) or provide updated certificate status information online (OCSP) • If certificate revoked or expired – warning displayed • CAs must complete annual audits and follow CA/B Forum rules to remain in browser trusted root stores • Stronger rules and higher CA standards are set for green Extended Validations or “EV” display What is a Certificate Authority
  • 8. Revocation info ● All browsers perform some level of certificate revocation checking ● All CA's must provide revocation information via OCSP ● OCSP cache times vary by browser with the longest cache time of 7 days ● OCSP stapling provides OCSP response with the certificate – Most current server distributions support stapling
  • 9. Background - Internal names ● Prevalent use of internal name certs ● Estimate is ~11,000 certificates issued against internal names ● Common/recommended practice until 2011
  • 10. Why is this a problem? ● Collisions – Many servers are configured this way – Different experience externally ● Security – Potential for man-in-the-middle attacks – 5 year attack opportunity on organizations with that domain
  • 11. Action taken so far ● CA/B Forum's original baseline requirements mandated that all internal certs expire or are revoked by 2015 – Based on server operator feedback and businesses ● Roadblocks include policy, cost and training ● CA/B Forum approached by ICANN – CA/B Forum passed a ballot – Feb 20, 2013 – Accelerates the deprecation from 5 years down to 120 days after the relevant gTLD contract is published. – 120 days is required for large volumes (Top 10%) ● Mozilla.org has adopted the revised requirements – July 31st All CA's must comply to remain in the trust store
  • 12. Action taken so far ● CASC – Was formed by CA's to improve education, marketing and research – Information on OCSP stapling – Reconfiguring servers with public FQDN's ● Avoiding Collisions – Digicert and other CA's are actively working to migrate customers off internal names ● Communicating with customers ● Only solves training doesn't reduce cost ● Digicert Internal Name Tool
  • 13. Recommendations for ICANN ● Don't approve the names that are most commonly used in internal certs until 2015 – Digicert Letter (.corp gTLD) – PayPal letter ● Approve the application but delay the delegation until 2015 ● Remaining 90% can move forward with minimal impact ● Security issues with certs is effectively resolved