Client Certs -- the old-new thing

Slides:



Advertisements
Similar presentations
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Advertisements

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Using Digital Credentials On The World-Wide Web M. Winslett.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
魂▪創▪通魂▪創▪通 Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.
Masud Hasan Secue VS Hushmail Project 2.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Using Personal Certificates Jeff D’Angelo Jeremy Hill Network of People, Jan 6, 2005.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Session 7 LBSC 690 Information Technology Security.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
Automated Certificate Management ACME + Let’s Encrypt Richard
Security fundamentals Topic 5 Using a Public Key Infrastructure.
TOPIC: AUTHENTICITY CREATED BY SWAPNIL SAHOO AuthenticityAuthorisation Access Control Basic Authentication Apache BASIC AUTHENTICATIONDIGEST ACCESS AUTHENTICATIONDHCP.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Catherine Metcalf | Dec U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals The FSA ID – Resources for Assisting.
05/03/2011Pomcor 1 Meeting the Privacy Goals of NSTIC in the Short Term Presentation at the 2011 Internet Identity Workshop Francisco Corella and Karen.
Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.
. Electronic. is a method of exchanging digital messages. What does the E in stand for?
Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.
Session 2.  Recap of Services We Provide  Refund Policy  Selling Tools Demo(s)  CRM Demo  Commission/Bonus Recap  Teen to show how to configure.
General Principles for Phyto Ecert (day 1) Peter Johnston Plant Exports.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
CAcert, a Security Community. The Problem Back in 2001: Sydney had WLAN network access everywhere (Sydney Wireless) People were running their own mailservers.
Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.
Authentication & Authorisation Is the user allowed to access the site?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 What is the CCA?
Client Certs -- the old-new thing CAcert The Community CA cacert.org.

PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Effective Contract Management for Small Business
Secure HTTP (HTTPS) Pat Morin COMP 2405.
CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.
Web Applications Security Cryptography 1
eduroam Managed IdP - Roadmap
SFS-HTTP: Securing the Web with Self-Certifying URLs
TIP Remember, your sense of conviction and your involvement with the content of the presentation are critical to its success.
SSL Certificates for Secure Websites
AIM/education directory (Ed dir)
Data and Applications Security Developments and Directions
Password Management Limit login attempts Encrypt your passwords
Outline What does the OS protect? Authentication for operating systems
Certificates An increasingly popular form of authentication
Uses Uses of cryptography Lab today on RSA
Misc. Security Items.
Outline What does the OS protect? Authentication for operating systems
CAcert and the Audit.
Trezor Support Phone Number For You!! Round The Clock
Multifactor Authentication & First Time Login
Setting up an online account
TaxSlayer Multi-Factor Authentication
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
User Registration.
Implementing Security in ASP.NET Core: Claims, Patterns, and Policies
Advanced Computer Networks
Certificates An increasingly popular form of authentication
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Mike Adnson | Launch Manager,
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
Presentation transcript:

Client Certs -- the old-new thing CAcert The Community CA iang @ cacert.org

Login v0.0 to ... Login 0.0: everyone is trusted Login 0.1 passwords + usernames Login 0.3 SSO – the dream! Login 0.4 Federation...

What went wrong? 0.0 Trust 0.1: N * complexity != support + security SSO Every site, a method... (chicken) Every person, a method... (egg) Who's got my data? Who's got customer?

Haven't we got computers to deal with this stuff? We have! They are called “client certificates” public-private-key pairs, third party signatures Really, they are like “crypto-passwords” Every browser, every webserver Why didn't they work?

Why Client Certs didn't work Enough software ... Data isn't at risk, nor customers (b) every person needed a cert Which was a drag … did not scale Chicken & egg: nobody had an egg. (Don't ask.)

CAcert gets into the Egg business Certificates => “Identity” => Assurance The “web of trust” Audit! How do you audit a web of trust? Doco … standards … verifiability … CATS == CAcert Automated Testing System All Assurers must be challenged!

Inspiration! CATS requires a client cert (no passwords) Because we are a CA? So our Assurers know about certs? We want to look cool? We want high-security access? Or? Don't ask...

The success of CATS Went live early 2008 Obligatory early 2009 10k++ → 1000 → 2000 → 3000 Today: 3320 or so Rule of thumb: serious test reduces to 1/3 Assurer community is stronger

CAcert gets into the Chicken business Every Assurer has a cert! Therefore... every site can use certs (only) Migrate all to cert usage (only) Wordpress, Sympa, Voting … DONE! It's on the sysadm work list

Results... for the blog! Write-access if you have a cert More authors, more articles... Spam is solved. No more lost-account, bad password problems → administrator is doing other things No more long arguments about WHO → users spend more time on articles...

Gotchas! #1 Multiple certs → Firefox confusion (We're waiting for user-whitelisting) #2 Crazy messages... Server rejects cert Client says Server rejected handshake User rejects it all... Developers don't/won't agree on blame… (wait for more user complaints)

Strategies Hybrid: Password PLUS certs If you must... (CA main site does this, for recovery) Only Certs, always certs: a. Apache does processing (too little, too much) b. App does processing (gotta write some code) Recommend: Only+App.

Strategy in Depth Gotcha #3: certs can & will change! Read cert into Database (cert indexes → to account) For new Certs, scan for same details Can match on email, and Name. If user changes Name & email … More thinking required

Conclusion Certs do Work Much better than passwords Much less hassle once going... Much easier on administrators Against other methods? Higher security than OpenID Available (once you buy some eggs...)

Challenge Problem (b): nobody's got an egg... Challenge for you: get certs to all users “all are CAcert...” Build a site, any site, use certs Internal: use factory certs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.