Presentation is loading. Please wait.

Presentation is loading. Please wait.

Client Certs -- the old-new thing

Published byFlora Miles Modified over 6 years ago

Similar presentations

Presentation on theme: "Client Certs -- the old-new thing"— Presentation transcript:

1 Client Certs -- the old-new thing
CAcert The Community CA cacert.org

2 Login v0.0 to ... Login 0.0: everyone is trusted
Login 0.1 passwords + usernames Login 0.3 SSO – the dream! Login 0.4 Federation...

3 What went wrong? 0.0 Trust 0.1: N * complexity != support + security
SSO Every site, a method (chicken) Every person, a method... (egg) Who's got my data? Who's got customer?

4 Haven't we got computers to deal with this stuff?
We have! They are called “client certificates” public-private-key pairs, third party signatures Really, they are like “crypto-passwords” Every browser, every webserver Why didn't they work?

5 Why Client Certs didn't work
Enough software ... Data isn't at risk, nor customers (b) every person needed a cert Which was a drag … did not scale Chicken & egg: nobody had an egg. (Don't ask.)

6 CAcert gets into the Egg business
Certificates => “Identity” => Assurance The “web of trust” Audit! How do you audit a web of trust? Doco … standards … verifiability … CATS == CAcert Automated Testing System All Assurers must be challenged!

7 Inspiration! CATS requires a client cert (no passwords)
Because we are a CA? So our Assurers know about certs? We want to look cool? We want high-security access? Or? Don't ask...

8 The success of CATS Went live early 2008 Obligatory early 2009
10k++ → 1000 → 2000 → 3000 Today: or so Rule of thumb: serious test reduces to 1/3 Assurer community is stronger

9 CAcert gets into the Chicken business
Every Assurer has a cert! Therefore... every site can use certs (only) Migrate all to cert usage (only) Wordpress, Sympa, Voting … DONE! It's on the sysadm work list

10 Results... for the blog! Write-access if you have a cert
More authors, more articles... Spam is solved. No more lost-account, bad password problems → administrator is doing other things No more long arguments about WHO → users spend more time on articles...

11 Gotchas! #1 Multiple certs → Firefox confusion
(We're waiting for user-whitelisting) #2 Crazy messages... Server rejects cert Client says Server rejected handshake User rejects it all... Developers don't/won't agree on blame… (wait for more user complaints)

12 Strategies Hybrid: Password PLUS certs If you must...
(CA main site does this, for recovery) Only Certs, always certs: a. Apache does processing (too little, too much) b. App does processing (gotta write some code) Recommend: Only+App.

13 Strategy in Depth Gotcha #3: certs can & will change!
Read cert into Database (cert indexes → to account) For new Certs, scan for same details Can match on , and Name. If user changes Name & … More thinking required

14 Conclusion Certs do Work Much better than passwords
Much less hassle once going... Much easier on administrators Against other methods? Higher security than OpenID Available (once you buy some eggs...)

15 Challenge Problem (b): nobody's got an egg...
Challenge for you: get certs to all users “all are CAcert...” Build a site, any site, use certs Internal: use factory certs

Download ppt "Client Certs -- the old-new thing"

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
魂▪創▪通魂▪創▪通 2013. 11. 15. Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.

魂▪創▪通魂▪創▪通 Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
© 2005-07 NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Using Personal Certificates Jeff D’Angelo Jeremy Hill Network of People, Jan 6, 2005.

Using Personal Certificates Jeff D’Angelo Jeremy Hill Network of People, Jan 6, 2005.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Session 7 LBSC 690 Information Technology Security.

Session 7 LBSC 690 Information Technology Security.
Www.uni-c.dk1 WWW.UNI-C.DK Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
Automated Certificate Management ACME + Let’s Encrypt Richard

Automated Certificate Management ACME + Let’s Encrypt Richard

Similar presentations

Ads by Google