Understand concepts and topics in certificate management
satya - 7/16/2015, 10:37:40 AM
PKI Certificates and Certificate Authorities
PKI Certificates and Certificate Authorities
satya - 7/16/2015, 10:41:01 AM
Certificate Authority companies
satya - 7/16/2015, 11:11:28 AM
CACert: issues free public key certificates
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public.[1] CAcert has over 310,000 verified users and has issued over 1,100,000 certificates as of June 2015.[2]
These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
satya - 7/16/2015, 11:15:50 AM
CEBit and key signing parties
CeBIT is the world's largest and most international computer expo. The trade fair is held each year on the Hanover fairground, the world's largest fairground, in Hanover, Lower Saxony, Germany, and is considered a barometer of the state of the art in information technology. It is organized by Deutsche Messe AG.[1]
With an exhibition area of roughly 450,000 m� (5 million ft�) and up to 850,000 visitors at the apex of the dot-com boom, it is larger both in area and attendance than its Asian counterpart COMPUTEX and the no-longer held American equivalent COMDEX. CeBIT is a German language acronym for Centrum f�r B�roautomation, Informationstechnologie und Telekommunikation,[2] which would literally translate as "Center for Office Automation, Information Technology and Telecommunication".
satya - 7/16/2015, 11:23:45 AM
Topics in Computer Security Certificates
Computer Security: Certificate revocation list
Computer Security: Certificate server
Computer Security: Extended Validation Certificate
Computer Security: Intermediate certificate authorities
Computer Security: Let's Encrypt
Computer Security: Robot certificate authority
Computer Security: Root Key Ceremony
Computer Security: SAFE-BioPharma Association
Computer Security: Self-signed certificate
Computer Security: Server gated cryptography
satya - 7/16/2015, 11:24:34 AM
How to protect private keys in PKI?
How to protect private keys in PKI?
satya - 7/16/2015, 11:28:52 AM
CRL: Certification revocation list
CRL: Certification revocation list
satya - 7/16/2015, 11:31:14 AM
OCSP
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).[2] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
satya - 7/16/2015, 11:31:34 AM
What is wrong with PKI CRL?
What is wrong with PKI CRL?
satya - 7/16/2015, 12:00:57 PM
A reasonable article on browsers and CRLs
satya - 7/16/2015, 12:11:09 PM
Do browsers download CRLs?
Do browsers download CRLs?
satya - 7/16/2015, 12:21:17 PM
How often browsers download CRLs?
How often browsers download CRLs?
satya - 7/16/2015, 12:24:57 PM
And the answer is
Typically, a client will download a CRL only when it encounters a certificate signed by a CA (certificate authority) whose CRL it does not have, or whose CRL has expired. This assumes that the client checks CRLs at all.
How often, or even if, a certificate is checked against a CA's CRL is up to the client. The CRL is a rather old technology and is being replaced by OCSP, OCSP stapling, and "pin lists". For example, Google's Chrome browser and the Firefox browser do not download CRLs at all (although Chrome can be manually configured to download CRLs).
The CRL itself will indicate when it will next be updated, but it is up to the client to go and get the update.
satya - 7/16/2015, 12:27:02 PM
Clearest explanation
In the CRL method, the browser downloads a file from the specified URL that contains every certificate which is not yet expired but has been revoked by the CA. This file may be several hundred kilobytes in size and is typically cached on the client computer for several days or more. The CRL file is itself signed by the CA to prevent tampering.
satya - 7/16/2015, 12:27:25 PM
OCSP on the other hand
In the OCSP method, the browser contacts a web service running at the specified URL and asks the service whether a specific certificate has been revoked; again, the response is signed to prevent tampering. The response to the ?Is certificate <XXX> revoked? query is typically much smaller than downloading an entire CRL file. If each OCSP request doesn't complete in less than 15 seconds, it times out.
A variant, called OCSP Stapling, allows the secure server to cryptographically prove that it has a recent ?Yes this certificate is still valid? ticket that is signed by the CA. These tickets have a short lifetime and must be periodically renewed by the server in order to return a current ticket to clients in a TLS handshake. OSCP Stapling is the fastest and most private method of revocation checking, but it?s not yet deployed on most sites. OCSP Stapling is supported by IIS7 and later, and Mozilla is funding a project to add support to OpenSSL. OCSP Stapling is more private than regular OCSP because it does not result in your computer contacting the CA and telling it what secure site you've just visited.
satya - 7/16/2015, 12:28:24 PM
OSCP Stapling is the fastest and most private method of revocation checking
OSCP Stapling is the fastest and most private method of revocation checking