Survey Results Rick Andrews 6 March 2014, IETF 89 London.

Slides:

Advertisements

Similar presentations

SSL Implementation Guide Onno W. Purbo

Advertisements

Cryptography and Network Security

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security

+1 (801) Ultralight OCSP Improving Revocation Checking.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Cryptography and Network Security Chapter 17

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.

Chapter 8 Web Security.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

PKI Processing with OpenSSL Rodney Thayer

Josh Benaloh Brian LaMacchia Winter Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

Tarefa Prática Mozilla Thunderbird . OpenPGP OpenPGP is also based on PGP.

Onno W. Purbo openssl Onno W. Purbo

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Unit 1: Protection and Security for Grid Computing Part 2

Certificate revocation list

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

06 APPLYING CRYPTOGRAPHY

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Symmetric Encryption Mom’sSecretApplePieRecipe Mom’sSecretApplePieRecipe The same key is used to encrypt and decrypt the data. DES is one example. Pie.

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.

Everything You Wanted to Know about X.509 Certificates (But Were Afraid to Ask) JOE STROMMEN

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

Creating and Managing Digital Certificates Chapter Eleven.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.

Revocation in WebPKI Phill Hallam-Baker Comodo. Standards intersection PKIX OTHER.

Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden

Document update - what has happened since GGF11

Apache Security with SSL Using FreeBSD

Using SSL – Secure Socket Layer

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Determine Applicability of Certificates by using standard CABF CP OIDs

Presentation transcript:

Survey Results Rick Andrews 6 March 2014, IETF 89 London

Summary 2 of 7 clients (Mozilla, Comodo) responded; some questions still unanswered from Mozilla – Promises from Microsoft and Google 1 of 15 servers (CloudFlare) responded – Promise from Microsoft; “no business advantage for us to respond so we will abstain” – Oracle – No response from Apache, reached out to OpenSSL: no time, worry about hidden agenda 20 of 67 OCSP responders responded

Server Survey (CloudFlare) 2b) Which cryptographic algorithms/parameters does the product support for the creation of keys and CSRs? RSA 1024DSA 1024ECC nistp256MD2SHA1 RSA 2048DSA 2048ECC nistp384MD4SHA-256 RSA 3072DSA 3072ECC nistp521MD5SHA-384 RSA 4096DSA 4096ECC otherSHA-512 RSA otherDSA other

Server Survey (CloudFlare) 8c) Does the product check staples before installing them? Yes 8d) How frequently are new staples fetched? Hourly 8e) What is the behavior of the server when it has no valid staple? “OCSP response: no response sent”

Client Survey (Mozilla) 11a) Which of the following status mechanisms does the product support? (check all that apply; if multiple mechanisms are used, please explain under which conditions they are each used) 1 - CRL - Firefox currently has very, very limited support for CRLs and will soon have none. 5 - AIA (where the location of the OCSP responder is obtained from the AIA extension) 6 - Stapled OCSP 7 - multiple-stapled OCSP (Not yet) 8 - CRL Sets (Not yet) 9 - Blacklists 11b) What order of priority amongst these mechanisms does the product follow? 9, 6, 5

Client Survey (Mozilla) 21) Which versions of SSL/TLS does the product support? SSL3, TLS 1.0, TLS 1.1, TLS ) Does the product support SPDY? SPDY 3, d) Does the product ever offer cipher suites that are not supported in the TLS version advertised (i.e. AEAD cipher suites prior to TLS 1.2)? No, we aim not to, but see

Client Survey (Mozilla) 29a) Does the product support a ClientHello larger than 255 bytes? Yes 29h) Does the product support a ServerHello larger than 255 bytes? Yes

OCSP Responder Survey Responses from Actalis, Autoridad de Certificacion Firmaprofesional, Buypass, Certinomis, Chunghwa Telecom Corporation, Comodo, Entrust, Government of Hong Kong (SAR)/Hongkong Post, HARICA, Izenpe S.A., KEYNECTIS, SwissSign AG, TeliaSonera, Trend Micro, TrustCenter, Trustis, VeriSign (Symantec), Axway, Safelayer Keyone, CloudFlare

OCSP Responder Survey 7 are CAs that write their own responder 11 are CAs that use third-party responders (or intend to) 2 are developers of third-party responder code 1 is a CDN, but uses nginx as proxy

OCSP Responder Survey 2) Does the product support RFC 5019, Lightweight OCSP? 3 Yes 3) Does the product support RFC 6960, OCSP Algorithm Agility? 2 Yes 4) What is the behavior if a request is made for a certificate serial number that had not been issued? 1 Revoked, 4 Unknown, 3 Unauthorized, 2 Good

Observations Several people did not answer every question Some client vendors asked for test sites Apache responses are essential, but we’ve hit a roadblock Testing might be more productive than reporting

Next Steps?

Server Survey (CloudFlare) 4b) Does the product validate the certificate path upon installation? Yes 4c) Does the product allow PKCS#7 import (in which the PKCS#7 file contains intermediates and end-entity certificates, and the product discerns which is which?) Yes 4f) Does the product ensure that the certificate chain is in the correct order? Yes

Server Survey (CloudFlare) 4g) Can the product be configured to send a self- signed certificate as part of the certificate chain when it is not the sole certificate? Yes 4h) Can the product be configured to send unrelated certificates in the certificate chain? No 5) Key/certificate renewal: Does the product require a restart in order to change its key pair? No

Server Survey (CloudFlare) 6) Which versions of SSL/TLS does the product support? SSL3, TLS 1.0, TLS 1.1, TLS 1.2 8a) Does the product support OCSP stapling in accordance with RFC 6066? Yes 8b) Does the product support OCSP multiple- stapling in accordance with RFC 6961? No