[Dshield] Digital certificates

Al Reust areust at comcast.net
Wed Oct 27 03:43:38 GMT 2004

Johannes, Kenneth et al

Yes the Department of Defense is issuing Public Key Infrastructure (PKI) 
Certificates. Government Computer News had the original article  that 
explained "why" ages ago. I do not have time to find it, it did state some 
of the reasoning why. If you search

it will show you some of what is a foot.

It stated that every member would receive a Certificate in one of two 
forms. Software Certificate or Smart Card. There are reasonings for which 
would be preferable over the other. The primary purpose would be for:

Server Access or Email

It stated that servers that provide access via HTTP would require SSL 
(HTTPS), Users would be issued Identity Certificates for individual access. 
If you do not present proper Identity then you are not allowed in.

HTTP - The basic premise is that if a site within the trusted domain 
receives an identity certificate from a user then the user is a member of 
the trusted network (they can get in). If no certificate is presented for 
validation, the user is not admitted then they are told to go away.

Email - This also provides integrity and non-repudiation. If George was 
issued an identity certificate and signs an email then it would mean that 
George sent the email. That case was tested in California and was upheld, 
it becomes the users responsibility to prove that the user did not properly 
protect the issued certificate.

Encryption - encryption means that you can protect data that could be 
considered "sensitive" but you have to exchange Public Keys before 
encryption that occur between users.

If web access is wrapped in 128 bit SSL (for authentication) then theft of 
identity becomes less of a concern (within the trusted network). You can 
account for every person.

If you deliver the Trusted Root Certificate within your network then it is 
not an issue. To users it becomes transparent.

If you carefully qualify the Registration Authority then you can control 
who/machines that are issued Certificates.

 From all this there are many companies that are going this route. The 
basis premise again is that if you do not present either a Soft Cert or a 
Smart Card then you are "not" a member "Just go away." So this is not new 
technology, but way of making the technology work.

So the question for the day becomes. How can you run cross site scripting 
against a site that asked for a Identity Certificate before it will present 
the web document root?

At 07:33 AM 10/26/2004 -0400, you wrote:

> > > You could always just do what some government sites do and write your
> > > own certificate.  Many of the dot mils I have been visiting lately seem
> > > to be creating/writing their own with no repercussions.
> >
> >
> > When you can reply with your very own nuclear weapon, I suppose you
> > don't have to worry about repercussions.
>Writing your own certificates (= signing them with your own CA, not just
>"self signed") is perfectly acceptable if you have a limited user group.
>You just have to find a way to distribute the CA-certificate (which can
>easily be downloaded from a web site).
>The only thing that makes Verisign at al special is that they managed to
>have their certificates added to common browsers as default "trusted"
>So as long as you can convince people to download (and trust) your own
>certificate, you are fine. For example for a company internal website,
>you can ask users to pickup the CA-certificate (from a secure internal
>location). You will now just use this "company CA" to issue various
>certificates of your own to "secure" your company internal websites. For
>example development sites, intranets or others. You may use this not
>just for web sites. You could use them for S-Mime and other purposes.
>Johannes Ullrich                     jullrich at euclidian.com
>contact: http://johannes.homepc.org/contact.htm



More information about the list mailing list