Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

NetSec > Chapter 9iii: Certificate Issuance > Flashcards

Chapter 9iii: Certificate Issuance Flashcards

1
Q

Certificate Issuance

Explain 3 ways in which a certificate is issued in practice.

A
  • Domain Validation (DV): proves ownership of the domain
  • Extended Validation (EV): Additionally requires (strong) legal documentation of the claimed identity
  • Organizational Validation (rare): Between DV and EV; less documentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Certificate Issuance How to get a Certificate?

Standard approach of domain validation:

  • Log into the CA’s awesome web interface
    *…
  • Verify domain with one of many vendor-specific verification methods (Mail to ca-admin@domain, http- Textfile, TXT DNS record, …)
  • Pay some sum of money
A

Generate RSA key
Generate Certificate Signing Request (CSR)
Fill out the ordering form, upload CSR
Receive and install the certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Certificate Issuance

Kurt Seifried vs. RapidSSL

What’s the main failure here?

A
  • CAs use a couple of ‘protected’ addresses for domain validation
  • In case of portugalmail.pt, these addresses were not protected…
  • Who ever controls these addresses, can request certificates for this domain
  • This issue is now in Mozilla’s ‘Problematic practices’
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Certificate Issuance Economics and security

  • Incentive to lower prices →…
  • Actually not true! Results of a study (2013): explain.
  • This shows customers behave rationally correct, but different from what designers of security system would have expected
A

less checks, makes certification cheaper

  • Empirical (quantitative) part: the more expensive CAs have more customers
  • Quantitative part: in interviews, customers say they prefer a CA that is ‘too big to fail’ and will never be removed
    from root stores
  • Indeed, large CAs are difficult to remove from root stores as the Web browser would suddenly show errors for
    many sites!
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does the certificate issuance process work?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Certificate Issuance HTTP-01 Challenge Request

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Certificate Issuance

HTTP-01 Challenge Verification

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Certificate Issuance

DNS-01 Challenge Verification

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Certificate Issuance ACME Certificate Creation

  • Authorized account key pair can …
  • Certificate Signing Request (CSR) (RFC2986) is …
  • CSR is signed by ….
  • Account key also signs …
A

request, renew and revoke certificates for the domain by signing messages
created for desired domains
private key of the public key that’s also in the CSR
whole certificate request with its private key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Certificate Issuance: ACME Certificate Revocation

When a certificate shall be revoked, …

The revocation is processed by the…

A

sign the revocation request with the authorized key pair!

CA and distributed to clients.

see slide 52-55 for some more about these.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

NetSec (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions