Client Certs -- the old-new thing CAcert The Community CA cacert.org.

Slides:



Advertisements
Similar presentations
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Advertisements

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Using Digital Credentials On The World-Wide Web M. Winslett.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Cryptography 101 Frank Hecker
Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell.
Masud Hasan Secue VS Hushmail Project 2.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Using Personal Certificates Jeff D’Angelo Jeremy Hill Network of People, Jan 6, 2005.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Automated Certificate Management ACME + Let’s Encrypt Richard
1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Web Services Security Patterns Alex Mackman CM Group Ltd
TOPIC: AUTHENTICITY CREATED BY SWAPNIL SAHOO AuthenticityAuthorisation Access Control Basic Authentication Apache BASIC AUTHENTICATIONDIGEST ACCESS AUTHENTICATIONDHCP.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
USGS GRID Exploratory Status Review Stuart Doescher Mike Neiers USGS/EDC May
Catherine Metcalf | Dec U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals The FSA ID – Resources for Assisting.
Improving the Usability and Security of OpenID Mike Jones Microsoft Federated Identity Team
Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.
. Electronic. is a method of exchanging digital messages. What does the E in stand for?
Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.
General Principles for Phyto Ecert (day 1) Peter Johnston Plant Exports.
Integrating your Community with your AMS and showing ROI Rob Kaighn TMA Resources, Inc.
CAcert, a Security Community. The Problem Back in 2001: Sydney had WLAN network access everywhere (Sydney Wireless) People were running their own mailservers.
Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.
Authentication & Authorisation Is the user allowed to access the site?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 What is the CCA?

PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.
Web Applications Security Cryptography 1
eduroam Managed IdP - Roadmap
A Board-Level Business Risk
TIP Remember, your sense of conviction and your involvement with the content of the presentation are critical to its success.
Federation made simple
SSL Certificates for Secure Websites
AIM/education directory (Ed dir)
Data and Applications Security Developments and Directions
Certificates An increasingly popular form of authentication
Uses Uses of cryptography Lab today on RSA
Symantec Code Signing Certificate
Client Certs -- the old-new thing
Misc. Security Items.
Cross-Site Request Forgeries: Exploitation and Prevention
CAcert and the Audit.
Nessus Vulnerability Scanning
Multifactor Authentication & First Time Login
Tom Chothia Computer Security
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
If I’d only known then what I know now about phishing…
Implementing Security in ASP.NET Core: Claims, Patterns, and Policies
Certificates An increasingly popular form of authentication
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Mike Adnson | Launch Manager,
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
Presentation transcript:

Client Certs -- the old-new thing CAcert The Community CA cacert.org

Authentication v0.0 to... ● Login 0.0: everyone is trusted ● Login 0.1 passwords + usernames ● Login 0.3 SSO (single-sign-on) – the dream! ● Login 0.4 Federation...

What went wrong? ● 0.0 everyone is … Untrusted ● 0.1: passwords – N * complexity != support + security ● 0.3, 0.4 SSO + Federation a) Every site, a method... (chicken) b) Every person, a method... (egg) c) Who's got my data? d) Who's got customer?

Haven't we got computers to deal with this authentication stuff? ● We have! ● They are called “client certificates” – public-private-key pairs, – (third party) signatures ● Really, they are like “crypto-passwords” ● Every browser, every webserver ● Why didn't they work?

Why Client Certs didn't work ● Enough software... ● Data isn't at risk, nor customers ● every person needed a cert – Which was a drag … did not scale ● Problem (b) nobody had an egg. – Chicken & egg ● (Don't ask.)

CAcert gets into the Egg business ● Certificates => “Identity” => Assurance – The “web of trust” ● Audit! – How do you audit a web of trust? – Doco … standards … verifiability … ● CATS == CAcert Automated Testing System – All Assurers must be challenged!

Inspiration! ● CATS requires a client cert (no passwords) – Because we are a CA? – So our Assurers know about certs? – We want to look cool? – We want high-security access? – Or? – Don't ask...

The success of CATS ● Went live early 2008 ● Obligatory early 2009 ● 10k++ → 1000 → 2000 → 3000 – Today: 3320 or so – Rule of thumb: serious test reduces to 1/3 ● Assurer community is stronger

CAcert gets into the Chicken business ● Every Assurer has a cert! ● Therefore... every site can use certs (only) ● Migrate all to cert usage (only) ● Wordpress, Sympa, Voting … DONE! ● It's on the sysadm work list

Results... for the blog! ● Write-access if you have a cert – More authors, more articles... ● Spam is solved. ● No more lost-account, bad password problems ● → administrator is doing other things ● No more long arguments about WHO ● → users spend more time on articles...

Gotchas! ● #1 Multiple certs → Firefox confusion – (We're waiting for user-whitelisting) ● #2 Crazy messages... – Server rejects cert – Client says Server rejected handshake – User rejects it all... – Developers don't/won't agree on blame… – (wait for more user complaints)

Strategy 1. Hybrid ● 1. Hybrid: Password PLUS certs – Attack between the gaps: HTTP+HTTPS – Sounds a bit like phishing... – Forever coding the border ● Only if you know you have to. – (CA main site does this, for recovery)

Strategy 2. Only Certs Only SSL, only Certs, always certs: ● 2.a. Apache does processing – (too little, too much) ● 2.b. App does processing – (gotta write some code) ● 2.b Recommended!

Strategy 2.b in Depth ● Gotcha #3: certs can & will change! ● Read cert into Database – (cert indexes → to account) ● For new Certs, scan for same details – Can match on , and Name. ● If user changes Name & … – More thinking required

Conclusion ● Certs do Work – Much better than passwords – Much less hassle once going... – Much easier on administrators ● Against other methods? – Higher security than OpenID – Available (once you buy some eggs...)

Your Challenge ● Problem (b): nobody's got an egg... ● Challenge for you: get certs to all users – “all are Cacert...” (borrow) – Build a site, any site, use certs (pull) – Internal: use factory certs (push)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.