SlideShare a Scribd company logo

New Window of Opportunity

Download as PPTX, PDF
CASCouncil, profile picture
CASCouncil

DigiCert supports the concept of certificate transparency which provides insight into issued SSL certificates and better remediation. Certificate transparency logs all certificates issued and enables fast detection of mis-issued certificates. While DigiCert has already implemented certificate transparency, questions remain regarding log security, privacy, and exemptions that require discussion before industry-wide adoption. Overall, certificate transparency enhances security without introducing unintended consequences.

Technology
1 of 11
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
New Window of Opportunity: Certificate Transparency - A Certification Authority’s Perspective Ben Wilson, SVP DigiCert Ben_at_digicert_dot_com www.digicert.com +1 (801) 877-2100
Introduction • Goals of Certificate Transparency: – Provide insight into issued SSL certificates – Provide better remediation services – Ensure CAs are aware of what they issue • DigiCert supports the concept of transparent certificate practices and certificate logging: – Voiced our support of transparency early on – Already accessing Google’s log server • Some outstanding areas require discussion prior to advocating industry-wide implementation ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Issuance Flow ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Transparency • Benefits – Fast detection = better mitigation – Greater visibility = better accountability for domain owners – Visible trust in operations = increased trust for CAs – Greater opportunity for discussion on certificates = improvement in Internet security • Security – Enables detection of problem and mis-issued certificates – Necessary for adequate remediation ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Public Logging • Public logging was discussed previously in CA /B Forum – Action by a browser was needed to make it happen • Public log shines a light on CAs • Public log provides mitigation – All of the incidents could have been more quickly detected and remediated with CT • Public log helps researchers • Public log is detection in security – Baseline requirements is prevention – Revocation is remediation ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Security Improvement • Raises awareness of practices – Allows broader observation of a CA’s practices – Allows domain owners to identify illegitimate use of domain names (Early Warning System) • Exposes weak points/players in ecosystem – Enables research to identify improvement areas • Enables trust decisions for domain owners – Self-regulating mechanism for the market ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Other Benefits • Backward compatible • Driving towards implementation • Expands the existing system – SSL has a proven track record – Lots of institutional knowledge – Increasingly stringent standards • Avoids “unintended consequences” of new technology • Deployed by CAs and Browsers – Web site operator participation is not required ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Implementation • Obtained REST JSON API from Google (URL reference) • Identified log servers – No new infrastructure • Updated our issuance code to communicate with log server • Created code to verify signed proof on response before embedding into certificate • Modified our certificate profile ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Remaining Questions from CAs • Number of Proofs – Each proof increases certificate size – Increased certificate size hampers performance • Privacy, competitive business considerations • Level playing field requirement for all CAs • Exemptions for internal certificates • Log accessibility and resiliency of deployment ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Log Server Considerations Model implementation provided by Google – Uses SQL light for log tree storage – Which CAs can add to a log? – What will be considered a trusted log? Security policy for trusted log operation is needed – Identify desired uptime and performance objectives – Scope broad enough to include entire system (e.g. mitigating disruption due to log compromises) – Perform risk assessment and adopt controls – Policy adoption process needs to be quick / efficient ©DigiCert, Inc. 2013. All Rights Reserved April 2013
Conclusion DigiCert supports Certificate Transparency because it – Addresses vulnerabilities in the current trust model – Creates transparency and accountability that will lead to prevention and early detection of mis-issuances – Is based on existing technologies that are easily supported with industry coordination – Enhances existing self-regulating mechanisms by leveraging an existing, refined and time-tested CA trust- anchor system while avoiding the “unintended consequences” of new technology in unfamiliar space ©DigiCert, Inc. 2013. All Rights Reserved April 2013

More Related Content

PDF
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
PPTX
SANS Critical Security Controls Summit London 2013
Wolfgang Kandek
 
PPTX
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
PDF
Managed firewall service.
Mindtree Ltd.
 
PDF
Simplifying PCI on a PaaS Environment
Engine Yard
 
PDF
INTRODUCTION TO IVANTI NEURONS
Ivanti
 
PDF
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
CSNP
 
PDF
Managed Service Brochure
Len Moncrieffe
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
SANS Critical Security Controls Summit London 2013
Wolfgang Kandek
 
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Managed firewall service.
Mindtree Ltd.
 
Simplifying PCI on a PaaS Environment
Engine Yard
 
INTRODUCTION TO IVANTI NEURONS
Ivanti
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
CSNP
 
Managed Service Brochure
Len Moncrieffe
 

What's hot (20)

PDF
DARPA: Cyber Analytical Framework (Kaufman)
Michael Scovetta
 
PPTX
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
PDF
IT Service & Asset Management Better Together
Ivanti
 
PPTX
Ivanti remote worker ds
Ivanti
 
PDF
Secure Your Data with Fidelis Network® for DLP
Fidelis Cybersecurity
 
PDF
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
PDF
The Future of Technology Operations
Ivanti
 
PPTX
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
PPTX
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
PPTX
A Primer on iOS Management and What's Changing
Ivanti
 
PDF
Cisco Connect 2018 Malaysia - introducing cisco dna assurance-the future of n...
NetworkCollaborators
 
PPTX
On Common Ground: The Overlap of PCI DSS and Data Protection
Tripwire
 
PPTX
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
PDF
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
PPTX
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Onward Security
 
PPTX
Best Practices for Cloud Security
IT@Intel
 
PDF
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
PPTX
From Physical to Virtual to Cloud
Cisco Security
 
PPTX
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
DARPA: Cyber Analytical Framework (Kaufman)
Michael Scovetta
 
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
IT Service & Asset Management Better Together
Ivanti
 
Ivanti remote worker ds
Ivanti
 
Secure Your Data with Fidelis Network® for DLP
Fidelis Cybersecurity
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
The Future of Technology Operations
Ivanti
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
A Primer on iOS Management and What's Changing
Ivanti
 
Cisco Connect 2018 Malaysia - introducing cisco dna assurance-the future of n...
NetworkCollaborators
 
On Common Ground: The Overlap of PCI DSS and Data Protection
Tripwire
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Onward Security
 
Best Practices for Cloud Security
IT@Intel
 
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
From Physical to Virtual to Cloud
Cisco Security
 
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
Ad

Viewers also liked (6)

PPTX
Decision criteria and analysis for hardware-based encryption
Thales e-Security
 
PPTX
141118 Thales contributions and benefits
SINTAS
 
PPTX
Protecting application delivery without network security blind spots
Thales e-Security
 
PPTX
Thales e-Security corporate presentation
Thales e-Security
 
PDF
SaaS Marketing Plan: 5 Ways to Get your B2B App to Sell Itself
Lincoln Murphy
 
PDF
Go to-market strategy for B2B SaaS companies
Guillaume Lerouge
 
Decision criteria and analysis for hardware-based encryption
Thales e-Security
 
141118 Thales contributions and benefits
SINTAS
 
Protecting application delivery without network security blind spots
Thales e-Security
 
Thales e-Security corporate presentation
Thales e-Security
 
SaaS Marketing Plan: 5 Ways to Get your B2B App to Sell Itself
Lincoln Murphy
 
Go to-market strategy for B2B SaaS companies
Guillaume Lerouge
 
Ad

Similar to New Window of Opportunity (20)

PPTX
Myths of validation
Jeff Thomas
 
PDF
110307 cloud security requirements gourley
GovCloud Network
 
PDF
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Systems, Inc.
 
PPTX
Monitoring in the DevOps Era
Mike Kavis
 
PPTX
security and compliance in the cloud
Ajay Rathi
 
PDF
Open Architecture: The Key to Aviation Security
agoldsmith1
 
PPTX
1C_-_Treasury_Managemt_in_the_Cloud_.pptx
CodyK1
 
PDF
GCP Security Refresher and GKE Enterprise In Action
Stacy Véronneau
 
PDF
Improving Quality through Continuous Integration - A case study of CollabNet
Venkat Janardhanam, MS, MBA
 
PDF
2019 10-app gate sdp 101 09a
Cristian Garcia G.
 
PPTX
Transforming cloud security into an advantage
Moshe Ferber
 
PPTX
Rightscale Webinar: PCI in Public Cloud
RightScale
 
POTX
Should healthcare abandon the cloud final
sapenov
 
PDF
CAs And The New Paradigm Shift
CASCouncil
 
PPTX
Logicalis BYOD Briefing
Logicalis Australia
 
PDF
CSA Introduction 2013 David Ross
Graeme Wood
 
PDF
Introduction to CSA Australia 2013 by David Ross
CloudSecurityAllianceAustralia
 
PDF
Compliance in Public Cloud & CSA Framework
CloudSecurityAllianceAustralia
 
PPTX
Security Architecture Best Practices for SaaS Applications
Techcello
 
PPTX
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
Myths of validation
Jeff Thomas
 
110307 cloud security requirements gourley
GovCloud Network
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Systems, Inc.
 
Monitoring in the DevOps Era
Mike Kavis
 
security and compliance in the cloud
Ajay Rathi
 
Open Architecture: The Key to Aviation Security
agoldsmith1
 
1C_-_Treasury_Managemt_in_the_Cloud_.pptx
CodyK1
 
GCP Security Refresher and GKE Enterprise In Action
Stacy Véronneau
 
Improving Quality through Continuous Integration - A case study of CollabNet
Venkat Janardhanam, MS, MBA
 
2019 10-app gate sdp 101 09a
Cristian Garcia G.
 
Transforming cloud security into an advantage
Moshe Ferber
 
Rightscale Webinar: PCI in Public Cloud
RightScale
 
Should healthcare abandon the cloud final
sapenov
 
CAs And The New Paradigm Shift
CASCouncil
 
Logicalis BYOD Briefing
Logicalis Australia
 
CSA Introduction 2013 David Ross
Graeme Wood
 
Introduction to CSA Australia 2013 by David Ross
CloudSecurityAllianceAustralia
 
Compliance in Public Cloud & CSA Framework
CloudSecurityAllianceAustralia
 
Security Architecture Best Practices for SaaS Applications
Techcello
 
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 

More from CASCouncil (20)

PDF
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
CASCouncil
 
PPTX
Six Reasons http Will Become a Thing of the Past
CASCouncil
 
PDF
What Kind of SSL/TLS Certificate Do I Need?
CASCouncil
 
PPTX
Payments Security – Vital Information all Payment Processors need to know
CASCouncil
 
PDF
TLS Certificates on the Web – The Good, The Bad and The Ugly
CASCouncil
 
PDF
2016 IRS Free e-File Audit & Honor Roll
CASCouncil
 
PDF
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
PPTX
CA/Browser Forum—To effect positive changes to improve internet security
CASCouncil
 
PDF
Update on the Work of the CA / Browser Forum
CASCouncil
 
PDF
Extended Validation Builds Trust
CASCouncil
 
PPTX
CA Day 2014
CASCouncil
 
PPT
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
PDF
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
CASCouncil
 
PDF
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
PDF
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
CASCouncil
 
PPTX
State of the Web
CASCouncil
 
PDF
Trust Service Providers: Self-Regulatory Processes
CASCouncil
 
PDF
Certificates, Revocation and the new gTLD's Oh My!
CASCouncil
 
PPTX
CA Self Regulation
CASCouncil
 
PDF
Nation-State Attacks On PKI
CASCouncil
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
CASCouncil
 
Six Reasons http Will Become a Thing of the Past
CASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
CASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
CASCouncil
 
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CASCouncil
 
Update on the Work of the CA / Browser Forum
CASCouncil
 
Extended Validation Builds Trust
CASCouncil
 
CA Day 2014
CASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
CASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
CASCouncil
 
State of the Web
CASCouncil
 
Trust Service Providers: Self-Regulatory Processes
CASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
CASCouncil
 
CA Self Regulation
CASCouncil
 
Nation-State Attacks On PKI
CASCouncil
 

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
A Presentation on Artificial Intelligence
memembruh336
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

New Window of Opportunity

  • 1. New Window of Opportunity: Certificate Transparency - A Certification Authority’s Perspective Ben Wilson, SVP DigiCert Ben_at_digicert_dot_com www.digicert.com +1 (801) 877-2100
  • 2. Introduction • Goals of Certificate Transparency: – Provide insight into issued SSL certificates – Provide better remediation services – Ensure CAs are aware of what they issue • DigiCert supports the concept of transparent certificate practices and certificate logging: – Voiced our support of transparency early on – Already accessing Google’s log server • Some outstanding areas require discussion prior to advocating industry-wide implementation ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 3. Issuance Flow ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 4. Transparency • Benefits – Fast detection = better mitigation – Greater visibility = better accountability for domain owners – Visible trust in operations = increased trust for CAs – Greater opportunity for discussion on certificates = improvement in Internet security • Security – Enables detection of problem and mis-issued certificates – Necessary for adequate remediation ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 5. Public Logging • Public logging was discussed previously in CA /B Forum – Action by a browser was needed to make it happen • Public log shines a light on CAs • Public log provides mitigation – All of the incidents could have been more quickly detected and remediated with CT • Public log helps researchers • Public log is detection in security – Baseline requirements is prevention – Revocation is remediation ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 6. Security Improvement • Raises awareness of practices – Allows broader observation of a CA’s practices – Allows domain owners to identify illegitimate use of domain names (Early Warning System) • Exposes weak points/players in ecosystem – Enables research to identify improvement areas • Enables trust decisions for domain owners – Self-regulating mechanism for the market ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 7. Other Benefits • Backward compatible • Driving towards implementation • Expands the existing system – SSL has a proven track record – Lots of institutional knowledge – Increasingly stringent standards • Avoids “unintended consequences” of new technology • Deployed by CAs and Browsers – Web site operator participation is not required ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 8. Implementation • Obtained REST JSON API from Google (URL reference) • Identified log servers – No new infrastructure • Updated our issuance code to communicate with log server • Created code to verify signed proof on response before embedding into certificate • Modified our certificate profile ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 9. Remaining Questions from CAs • Number of Proofs – Each proof increases certificate size – Increased certificate size hampers performance • Privacy, competitive business considerations • Level playing field requirement for all CAs • Exemptions for internal certificates • Log accessibility and resiliency of deployment ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 10. Log Server Considerations Model implementation provided by Google – Uses SQL light for log tree storage – Which CAs can add to a log? – What will be considered a trusted log? Security policy for trusted log operation is needed – Identify desired uptime and performance objectives – Scope broad enough to include entire system (e.g. mitigating disruption due to log compromises) – Perform risk assessment and adopt controls – Policy adoption process needs to be quick / efficient ©DigiCert, Inc. 2013. All Rights Reserved April 2013
  • 11. Conclusion DigiCert supports Certificate Transparency because it – Addresses vulnerabilities in the current trust model – Creates transparency and accountability that will lead to prevention and early detection of mis-issuances – Is based on existing technologies that are easily supported with industry coordination – Enhances existing self-regulating mechanisms by leveraging an existing, refined and time-tested CA trust- anchor system while avoiding the “unintended consequences” of new technology in unfamiliar space ©DigiCert, Inc. 2013. All Rights Reserved April 2013