using personal certificates
DESCRIPTION
Using Personal Certificates. Jeff D’Angelo Jeremy Hill Network of People, Jan 6, 2005. Our role. Not a formal ITS or Penn State project No support from ITS helpdesks We present this material today not as an authority but as peer Personal Certificate programs are global - PowerPoint PPT PresentationTRANSCRIPT
Using Personal Certificates
Jeff D’AngeloJeremy Hill
Network of People, Jan 6, 2005
Our role
• Not a formal ITS or Penn State project– No support from ITS helpdesks
• We present this material today not as an authority but as peer
• Personal Certificate programs are global
• We are selfish – we want more points
• Our selfishness helps you
What types of certificates exist?
• Server
• Personal
• Code-signing
• Others (client, etc.)
How are certificates useful?
• Certificates are a means of placing trust in an unknown/unverified party
• Can validate authenticity of peer/server in SSL/TLS communication (HTTPS, etc)
• Can encrypt/sign email (S/MIME)• Can sign (validate) documents (PDF)• Can sign executable code• Client Authentication (VPN, HTTP, etc)
Methods of assuring identity
• Single assurance from Certificate Authority
• PGP Web of Trust (WoT) model
• Hybrid CA + Web of Trust model
How hybrid model works
• Community based effort assuring identity of peers
• Web-based point system keeps track of assurances received and given
• No single point of assurance failure
• Single path to verify new certificates
Hybrid Web of Trust CAs
• Thawte– Trusted in most clients today– FREE for personal certificates
• CAcert– Server and Code-signing also FREE– Requires root certificate installation in most
clients today
Getting started
• 1) Apply for account with Thawte (or CAcert)• 2) Get points via assurances
– At 50 points, your certificates are trusted
– At 100 points, you become a WoT notary
• 3) Give assurances to help the community– The more you give, the more points you can give
– Start at giving max 10 points and work towards 35 max
Assurance process
• Meet notary/assuror in person• Provide proof(s) of identity matching account
information (e.g., driver’s license #, passport #)• Notary/assuror makes copy of id proofs• Both sign a document attesting assurance• Notary/assuror grants points to the assertion online• Notary/assuror keeps documentation secure and
may produce to CA if audited
Demos
• Jeff– Applying for Thawte Personal Certificates– Downloading certificate into email client– Signing, verifying email
• Jeremy– Installing certificate into Adobe PDF– Signing PDF documents
S/MIME E-Mail client support
• Mozilla Mail and derivatives (e.g., Thunderbird) – Good
• MS Outlook and Outlook Express – Good
• Eudora – Poor
• Pine – Poor
• Apple Mail – Decent
Conclusion
• Summary
• Q & A
• Thawte and CAcert assurances given during break
References
• Thawte Personal Certificates: http://thawte.com/email/
• CAcert Personal Certificates: http://cacert.org/