Understand concepts and topics in certificate management

satya - 7/16/2015, 10:37:40 AM

PKI Certificates and Certificate Authorities

PKI Certificates and Certificate Authorities

Search for: PKI Certificates and Certificate Authorities

satya - 7/16/2015, 10:38:19 AM

Microsoft on certificates

Microsoft on certificates

satya - 7/16/2015, 10:39:46 AM

Wikipedia Certificate authorities

Wikipedia Certificate authorities

satya - 7/16/2015, 10:41:01 AM

Certificate Authority companies

Comodo

Symantec

GoDaddy

GlobalSign

DigiCert

satya - 7/16/2015, 11:11:28 AM

CACert: issues free public key certificates

CAcert.org is a community-driven certificate authority that issues free public key certificates to the public.[1] CAcert has over 310,000 verified users and has issued over 1,100,000 certificates as of June 2015.[2]

These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.

satya - 7/16/2015, 11:12:11 AM

CACert home page: CAcert.org

CACert home page: CAcert.org

satya - 7/16/2015, 11:15:50 AM

CEBit and key signing parties

CeBIT is the world's largest and most international computer expo. The trade fair is held each year on the Hanover fairground, the world's largest fairground, in Hanover, Lower Saxony, Germany, and is considered a barometer of the state of the art in information technology. It is organized by Deutsche Messe AG.[1]

With an exhibition area of roughly 450,000 m� (5 million ft�) and up to 850,000 visitors at the apex of the dot-com boom, it is larger both in area and attendance than its Asian counterpart COMPUTEX and the no-longer held American equivalent COMDEX. CeBIT is a German language acronym for Centrum f�r B�roautomation, Informationstechnologie und Telekommunikation,[2] which would literally translate as "Center for Office Automation, Information Technology and Telecommunication".

satya - 7/16/2015, 11:16:25 AM

Computer Expos

CeBIT

COMDEX

satya - 7/16/2015, 11:23:45 AM

Topics in Computer Security Certificates

Computer Security: CAcert

Computer Security: Certificate revocation list

Computer Security: Certificate server

Computer Security: Extended Validation Certificate

Computer Security: Intermediate certificate authorities

Computer Security: Let's Encrypt

Computer Security: Robot certificate authority

Computer Security: Root Key Ceremony

Computer Security: SAFE-BioPharma Association

Computer Security: Self-signed certificate

Computer Security: Server gated cryptography

Computer Security: Web of trust

Computer Security: X.509

satya - 7/16/2015, 11:24:34 AM

How to protect private keys in PKI?

How to protect private keys in PKI?

Search for: How to protect private keys in PKI?

satya - 7/16/2015, 11:26:15 AM

PKI Key escrows

PKI Key escrows

Search for: PKI Key escrows

satya - 7/16/2015, 11:28:52 AM

CRL: Certification revocation list

CRL: Certification revocation list

satya - 7/16/2015, 11:29:41 AM

What is OCSP?

What is OCSP?

Search for: What is OCSP?

satya - 7/16/2015, 11:31:14 AM

OCSP

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).[2] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

satya - 7/16/2015, 11:31:34 AM

What is wrong with PKI CRL?

What is wrong with PKI CRL?

Search for: What is wrong with PKI CRL?

satya - 7/16/2015, 11:58:02 AM

Browsers and CRLs

Browsers and CRLs

Search for: Browsers and CRLs

satya - 7/16/2015, 12:00:57 PM

A reasonable article on browsers and CRLs

A reasonable article on browsers and CRLs

satya - 7/16/2015, 12:11:09 PM

Do browsers download CRLs?

Do browsers download CRLs?

Search for: Do browsers download CRLs?

satya - 7/16/2015, 12:21:17 PM

How often browsers download CRLs?

How often browsers download CRLs?

Search for: How often browsers download CRLs?

satya - 7/16/2015, 12:24:38 PM

Here is a nice answer on SOF

Here is a nice answer on SOF

satya - 7/16/2015, 12:24:57 PM

And the answer is

Typically, a client will download a CRL only when it encounters a certificate signed by a CA (certificate authority) whose CRL it does not have, or whose CRL has expired. This assumes that the client checks CRLs at all.

How often, or even if, a certificate is checked against a CA's CRL is up to the client. The CRL is a rather old technology and is being replaced by OCSP, OCSP stapling, and "pin lists". For example, Google's Chrome browser and the Firefox browser do not download CRLs at all (although Chrome can be manually configured to download CRLs).

The CRL itself will indicate when it will next be updated, but it is up to the client to go and get the update.

satya - 7/16/2015, 12:26:29 PM

Another nice blog item

Another nice blog item

satya - 7/16/2015, 12:27:02 PM

Clearest explanation

In the CRL method, the browser downloads a file from the specified URL that contains every certificate which is not yet expired but has been revoked by the CA. This file may be several hundred kilobytes in size and is typically cached on the client computer for several days or more. The CRL file is itself signed by the CA to prevent tampering.

satya - 7/16/2015, 12:27:25 PM

OCSP on the other hand

In the OCSP method, the browser contacts a web service running at the specified URL and asks the service whether a specific certificate has been revoked; again, the response is signed to prevent tampering. The response to the ?Is certificate <XXX> revoked? query is typically much smaller than downloading an entire CRL file. If each OCSP request doesn't complete in less than 15 seconds, it times out.

A variant, called OCSP Stapling, allows the secure server to cryptographically prove that it has a recent ?Yes this certificate is still valid? ticket that is signed by the CA. These tickets have a short lifetime and must be periodically renewed by the server in order to return a current ticket to clients in a TLS handshake. OSCP Stapling is the fastest and most private method of revocation checking, but it?s not yet deployed on most sites. OCSP Stapling is supported by IIS7 and later, and Mozilla is funding a project to add support to OpenSSL. OCSP Stapling is more private than regular OCSP because it does not result in your computer contacting the CA and telling it what secure site you've just visited.

satya - 7/16/2015, 12:28:24 PM

OSCP Stapling is the fastest and most private method of revocation checking

OSCP Stapling is the fastest and most private method of revocation checking