Difference between revisions of "Certificate Authority"
From MgmtWiki
(→Problems) |
(→Problems) |
||
| Line 8: | Line 8: | ||
==Problems== | ==Problems== | ||
| − | # Enhanced Security Verification - When you connect to a website, browsers like **Chrome** not only verify that a recognized Certificate Authority (CA) issued the certificate but also perform additional checks on the connection's security properties. - One such check involves validating data from | + | # Enhanced Security Verification - When you connect to a website, browsers like **Chrome** not only verify that a recognized Certificate Authority (CA) issued the certificate but also perform additional checks on the connection's security properties. - One such check involves validating data from [[Certificate Transparency]] logs. These logs help detect any mis-issuance of certificates after they have been issued.<ref> How the Chrome Root Program Keeps Users Safe - Security Blog. https://security.googleblog.com/2023/05/how-chrome-root-program-keeps-users-safe.html.</ref> |
| − | # Post-Issuance Validation - CT works within the existing CA infrastructure to provide **post-issuance validation** of an entity's authorization for SSL certificate | + | # Post-Issuance Validation - CT works within the existing CA infrastructure to provide **post-issuance validation** of an entity's authorization for SSL certificate issuance.<ref> Why and How You Should be Using an Internal Certificate Authority. https://isc.sans.edu/diary/Why+and+How+You+Should+be+Using+an+Internal+Certificate+Authority/27314.</ref> - By monitoring these logs, domain owners can identify any unauthorized or suspicious certificates associated with their domains. |
| − | # Privacy Concerns - Public CAs maintain ** | + | # Privacy Concerns - Public CAs maintain **[[Certificate Transparency]] logs**, which are publicly accessible and searchable. - Some organizations prefer to use their **internal certificate authorities** to avoid having their internal host-names appear in these public logs.<ref> Moving Forward with Certificate Transparency - Entrust Blog. https://www.entrust.com/blog/2014/12/moving-forward-with-certificate-transparency/.</ref> |
| − | # Future Adoption | + | # Future Adoption - While most CAs currently support CT primarily for **Extended Validation (EV) certificates**, there is a possibility of extending it to all SSL certificates in the future.<ref> The HTTPS-Only Standard - Certificates - CIO.GOV. https://https.cio.gov/certificates/.</ref> |
In summary, the move toward **Certificate Transparency** aims to bolster security, increase transparency, and ensure the integrity of SSL certificates across the web. | In summary, the move toward **Certificate Transparency** aims to bolster security, increase transparency, and ensure the integrity of SSL certificates across the web. | ||
| − | |||
| − | + | <ref> How does Certificate Transparency Work? | DigiCert FAQ. https://www.digicert.com/faq/certificate-transparency/how-does-certificate-transparency-work.</ref> | |
| − | + | ||
| − | + | <ref> Moving Forward with Certificate Transparency - Entrust Blog. https://www.entrust.com/blog/2014/12/moving-forward-with-certificate-transparency/.</ref> | |
| − | |||
| − | |||
| − | |||
==References== | ==References== | ||
[[Category: Trust]] | [[Category: Trust]] | ||
Revision as of 19:06, 19 February 2024
Full Title or Meme
Any computer service that can evaluate and issue certificates to any Entity, either natural or otherwise, with some sort of digital Identifier.
Context
- Typically, certificates are issued in compliance with CCITT X509 standards in support of a Public Key Infrastructure.
- Efforts started in 2024 are focused on finding other solutions which might mean CCITT X.509 type certification in JSON structure.
- Other effort to create various types of Trust Registry are starting to look a lot like a Certificate Authority.
Problems
- Enhanced Security Verification - When you connect to a website, browsers like **Chrome** not only verify that a recognized Certificate Authority (CA) issued the certificate but also perform additional checks on the connection's security properties. - One such check involves validating data from Certificate Transparency logs. These logs help detect any mis-issuance of certificates after they have been issued.[1]
- Post-Issuance Validation - CT works within the existing CA infrastructure to provide **post-issuance validation** of an entity's authorization for SSL certificate issuance.[2] - By monitoring these logs, domain owners can identify any unauthorized or suspicious certificates associated with their domains.
- Privacy Concerns - Public CAs maintain **Certificate Transparency logs**, which are publicly accessible and searchable. - Some organizations prefer to use their **internal certificate authorities** to avoid having their internal host-names appear in these public logs.[3]
- Future Adoption - While most CAs currently support CT primarily for **Extended Validation (EV) certificates**, there is a possibility of extending it to all SSL certificates in the future.[4]
In summary, the move toward **Certificate Transparency** aims to bolster security, increase transparency, and ensure the integrity of SSL certificates across the web.
References
- ↑ How the Chrome Root Program Keeps Users Safe - Security Blog. https://security.googleblog.com/2023/05/how-chrome-root-program-keeps-users-safe.html.
- ↑ Why and How You Should be Using an Internal Certificate Authority. https://isc.sans.edu/diary/Why+and+How+You+Should+be+Using+an+Internal+Certificate+Authority/27314.
- ↑ Moving Forward with Certificate Transparency - Entrust Blog. https://www.entrust.com/blog/2014/12/moving-forward-with-certificate-transparency/.
- ↑ The HTTPS-Only Standard - Certificates - CIO.GOV. https://https.cio.gov/certificates/.
- ↑ How does Certificate Transparency Work? | DigiCert FAQ. https://www.digicert.com/faq/certificate-transparency/how-does-certificate-transparency-work.
- ↑ Moving Forward with Certificate Transparency - Entrust Blog. https://www.entrust.com/blog/2014/12/moving-forward-with-certificate-transparency/.
