[Dshield] Digital certificates
areust at comcast.net
Wed Oct 27 03:43:38 GMT 2004
Johannes, Kenneth et al
Yes the Department of Defense is issuing Public Key Infrastructure (PKI)
Certificates. Government Computer News had the original article that
explained "why" ages ago. I do not have time to find it, it did state some
of the reasoning why. If you search
it will show you some of what is a foot.
It stated that every member would receive a Certificate in one of two
forms. Software Certificate or Smart Card. There are reasonings for which
would be preferable over the other. The primary purpose would be for:
Server Access or Email
It stated that servers that provide access via HTTP would require SSL
(HTTPS), Users would be issued Identity Certificates for individual access.
If you do not present proper Identity then you are not allowed in.
HTTP - The basic premise is that if a site within the trusted domain
receives an identity certificate from a user then the user is a member of
the trusted network (they can get in). If no certificate is presented for
validation, the user is not admitted then they are told to go away.
Email - This also provides integrity and non-repudiation. If George was
issued an identity certificate and signs an email then it would mean that
George sent the email. That case was tested in California and was upheld,
it becomes the users responsibility to prove that the user did not properly
protect the issued certificate.
Encryption - encryption means that you can protect data that could be
considered "sensitive" but you have to exchange Public Keys before
encryption that occur between users.
If web access is wrapped in 128 bit SSL (for authentication) then theft of
identity becomes less of a concern (within the trusted network). You can
account for every person.
If you deliver the Trusted Root Certificate within your network then it is
not an issue. To users it becomes transparent.
If you carefully qualify the Registration Authority then you can control
who/machines that are issued Certificates.
From all this there are many companies that are going this route. The
basis premise again is that if you do not present either a Soft Cert or a
Smart Card then you are "not" a member "Just go away." So this is not new
technology, but way of making the technology work.
So the question for the day becomes. How can you run cross site scripting
against a site that asked for a Identity Certificate before it will present
the web document root?
At 07:33 AM 10/26/2004 -0400, you wrote:
> > > You could always just do what some government sites do and write your
> > > own certificate. Many of the dot mils I have been visiting lately seem
> > > to be creating/writing their own with no repercussions.
> > When you can reply with your very own nuclear weapon, I suppose you
> > don't have to worry about repercussions.
>Writing your own certificates (= signing them with your own CA, not just
>"self signed") is perfectly acceptable if you have a limited user group.
>You just have to find a way to distribute the CA-certificate (which can
>easily be downloaded from a web site).
>The only thing that makes Verisign at al special is that they managed to
>have their certificates added to common browsers as default "trusted"
>So as long as you can convince people to download (and trust) your own
>certificate, you are fine. For example for a company internal website,
>you can ask users to pickup the CA-certificate (from a secure internal
>location). You will now just use this "company CA" to issue various
>certificates of your own to "secure" your company internal websites. For
>example development sites, intranets or others. You may use this not
>just for web sites. You could use them for S-Mime and other purposes.
>Johannes Ullrich jullrich at euclidian.com
More information about the list