Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus ... · →Comodo was split in two →WoSign is distrusted...

CA/B-Forum – ‘In the News’

Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus Technologieberatung GmbH, Berlin

Some CA/B Forum Member News

→Symantec is out of PKI Business

→Digicert has acquired website security and PKI solutions it

→Let’s Encrypt: Free SSL everywhere, but without identity

→Comodo was split in two

→WoSign is distrusted (has tried hard to come back)

→Microsoft has a new team

→Apple will support CT and reduce the number of CAs

And more gossip later…

→ Governance Change Working Group

→ Validation Working Group

→ Policy Review Working Group

→ Network Security Working Group

→ DNS Certification Authority Authorization (CAA) (in prep.)

CA/B Forum Working Groups

CA/Browser Forum Ballots:

→Ballot 208 – dnQualifiers →Ballot 214 – CAA Discovery CNAME Errata →Ballot 190 – BR 3.2.2.4 Validation Methods →Ballot 207 – ASN.1 Jurisdiction in EV Guidelines →Ballot 206 – Changes to IPR Policy and Bylaws re Formation of Work Groups →Ballot 209 – EV Liability →Ballot 213 – Revocation Timeline Extension →Ballot 216 – Chartering of CAA Working Group →Ballot XXX – Require CPS in RFC 3647 format →Ballot XXX – Remove "Any Other Method" from IP Address Validation →Ballot XXX – Remove requirement to obey latest version of the BRs

Meeting 41 Berlin, Germany June 2017 D-Trust

Meeting 42 Taipei, Taiwan Oct 2017 Chunghwa Telecom

Meeting 43 Herndon, VA, USA March 2018 Amazon

Meeting 44 London, UK June 2018 Comodo

Meeting 45 Shanghai, China Oct 2018 CFCA

CA/B Forum Meetings

Meeting 41 Berlin,

Germany June 2017 D-Trust

Meeting 42 Taipei, Taiwan Oct 2017 Chunghwa

Telecom

Meeting 43 Herndon, VA,

USA March 2018 Amazon

Meeting 44 London, UK June 2018 Comodo

Meeting 45 Shanghai,

China Oct 2018 CFCA

CA/B Forum Meetings: Berlin

Mozilla is building its own policy

Mozilla Root Store Policy 2.5:

→Detailed audit report conditions (caused by poor ETSI CPs-based audits)

→Technically constrained CAs

→Strict requirements for incident reportings

→CP publicly-disclosed and audited

→CCADB: Complete database of CA status (now supported by MS and Apple, used by Google)

→“Forbidden and Required Practices” https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Page 7

Google is building its own world

→For SSL/TLS: Certificate Transparency since 2012:

→Supports control CA and “Digital Pillories” (www.crt.sh)

→…lots of logs… a few “un-qualified”

→For S/MIME: Key Transparency since 2016: “Our goal is to evolve Key Transparency into an open-source, generic, scalable, and interoperable directory of public keys with an ecosystem of mutually auditing directories.”

https://security.googleblog.com/2017/01/security-through-transparency.html

CT- Log CT- Log

CCA DB

CRT. SH

One-CRL One-CRL

Process to control CAs

Matrix: First Try

eIDAS Norm

eIDAS Qualified

CA/B-F Publicly Trusted

extended

Mozilla CP

Google CT-CP

DIGSIG 319411-1 319411-2 BR - CP 2.5

S/MIME (keytransp)

SERVER-AUTH-TLS

319411-1 319411-2 QWACs

BR EV CP 2.5 CT-CP

CODE-SIGNING

- - - EV- Code-

Signing - ?

Audited by CAB

ETSI EN 319 411

-1 and -2

EU Qualified Website

Authentication Certificates

ETSI QC-w-Statement

TSP included in national TSL

Requirements for QWACs

Requirements for PTC TLS

CA/B-EVC-Guide+

ETSI EN 319 411-1 or WebTrust+

Mozilla/Google/Apple/MS CPs

CA/B Forum EV Certificates

CA/B-EVC-OID:

Publicly trusted by browser

+Mozilla CP 2.5

+ Certificate transparency

Requirements for PT-QWACs

Branch- specific

Country-specific

Standard-specific

Application-specific

Policy Taxonomy

Too many CPs cause pain for TSP

eIDAS + ETSI + CEN

CA/B-Forum + Browser

Google CT

National+ Branch

Is Trust Visible?

https://casecurity.org/wp-content/uploads/2017/03/CASC-Browser-UI-Security-Indicators.pdf

Is Trust Visible?

https://casecurity.org/wp-content/uploads/2017/03/CASC-Browser-UI-Security-Indicators.pdf

ETSI Audit Issues

A coordinated response is needed:

→Communication between ETSI-audited PTC-TSP

→ETSI New Work Item on EN 319 403 update

→ACABc statement on audit report best practises

→Training for auditors?

→“Whitelisting” the audit bodies?

→Ballot on proposed text for audit requirements

→. . . Page 18

Questions? Dipl. Wirtsch.- Ing. Arno Fiedler Nimbus Technologieberatung GmbH Reichensteiner Weg 17 14195 Berlin arno.fiedler@nimbus-berlin.com Mobile: +49-172-3053272

Dipl. Wirtsch.-Ing. Arno Fiedler Nimbus ... · →Comodo was split in two →WoSign is distrusted...

Documents

The internet has trust issues - NLNOG• WoSign and StartCom are removed • Continues to issue certs because of cross-signing • WoSign is distrusted for C != CN • Doesn’t solve

Launching the New Ship of State Chapter 10. w Central government to be distrusted, watched, and curbed

FIELD TEST OF GRID ORIENTED MICRO CHP UNITS FOR DOMESTIC ENERGY SUPPLY Dipl.- Wirtsch. Ing. Arne Dammasch Prof. Dr.-Ing. Michael Kurrat

The Congress of Vienna of Vienna.pdfrepresentatives was the foreign minister of Austria, Prince Klemens von Metternich (MEHT•uhr•nihk). Metternich distrusted the democratic ideals

Launching the New Ship of State 1789-1800. Launching the New Ship of State Americans regarded a central authority as a necessary evil One to be distrusted,

WoSign Certificates Policy & Practice Statement · 2021. 6. 3. · WoSign Certificates Policy & Practice Statement . Version: 1.2.4 . Status: Final Approved . Updated: 2014-02-14

- ICRAT 2004 - Dipl.-Wirtsch.-Ing. Michael Schultz Dipl.-Ing. Susann Lehmann

The internet has trust issues - about StartCom and WoSign

patent- & lizenzmanagement. - Munich Network · 1 Prof. Dr. Todd A. Mooradian, College of William & Mary, Williamsburg | Dipl.-Wirtsch.-Ing. Stefan Kohn, Fraunhofer Technologieentwicklungsgruppe,

WoSign Incidents Final Report

Journal on Firearms and Public Policy · Colonial America claims that because Colonial governments distrusted the free population with guns, the laws required guns to be stored centrally,

WoSign Certificates Policy & Practice Statement · To verify the validity of a digital certificate they receive, relying parties must refer to the Certificate Revocation List (CRL)

WoSign Certificates Policy & Practice StatementAdd Class 2 SSL certificate and Class 2 Code Signing certificate 5. Add Class 4 EV Code Signing certificate 6. Update the IP address

Impact of Sustainability on Property Values · · 2015-07-04Impact of Sustainability on Property Values Author: Dipl.-Wirtsch.-Ing. (FH) Berit Schumann ... 4.2 Results of Questionnaire

WoSign Incidents Report · WoSign Incidents Report (September 4. th. 2016) WoSign got email notice from Mozilla for 3 incidents about WoSign at August 24th 2016, and WoSign responded

Ralf Isenmann Forschungsschwerpunkt Umweltschutz und ... · 3 1 Author and Correspondence Address Ralf Isenmann, Master of Industrial Engineering and Management (Dipl.-Wirtsch.-Ing.),

WoSign Certificates Policy & Practice Statement · WoSign have change d the company English name from “ WoSign CA Limited ” to “WoTrus CA Limited ” since August 24, 2017

Sanctuary: ARMing TrustZone with User-space Enclaves · with User-space Enclaves. Research Problem How can we construct an ecosystem of mutually distrusted enclaves on mobile devices?

The Presidency. The Roots of the Office of President American colonists distrusted the King to the point that their Articles of Confederation largely

Fukushima as “Moral Panic” - METI...Fukushima as “Moral Panic” Moral panics = blaming already distrusted members of society for things largely out of their control Reaction