@Evaldo | okay :) |
@Evaldo | CAcert is a community-oriented certificate authority that issues digital certificates for free. Before explaining CAcert role in detail, I am going to give some background on certificates, signatures, what cryptografy can offer, introduce some secure devices and applications. |
@Evaldo | then, I will proceed to how CAcert works, what we offer, and finally a small word of who runs CAcert |
@Evaldo | a digital certificate is a structure that holds 1) identification information from the subject and the issuer, a public key, and a signature by the issuer on the certificate data |
@Evaldo | in practice, this is used to bind a public key to a real-world entity, being a person, an organization, or a service hosted in a recognized domain, which links to one of the previous entities |
@Evaldo | a certificate also carries its approved uses, to avoid using a "digital signature" certificate to sign code for a cellphone, for example. |
@Evaldo | certificates also have a validity period |
@Evaldo | (sorry for the delay, wireless went crazy) |
@Evaldo | Digital signatures are products of cryptographic operations over a private key and a file, resulting a "signature" which can be verified with a public key |
@Evaldo | they are used to verify the integrity of the signed file or message (if the data was modified, the signature will not match) |
@Evaldo | and also to identify the source of that message or file, using the certificate data |
@Evaldo | Non-Repudiation is a feature, meaning that all signatures made with that key are valid and the author cannot deny them |
@Evaldo | on to the Privacy scene, we have nowadays what I would call "digital postcards" as emails |
@Evaldo | since anyone can sniff the network, or tap into the mailserver and read your emails |
@Evaldo | this can be changed by using encryption, obfuscating the content |
@Evaldo | in some countries, providers are required to keep copies of your messages for years, and in other countries, laws have breaches which let corporations do it for profit |
@Evaldo | cryptography can be used to obfuscate the communication, establishing a secure channel through insecure media, like the internet |
@Evaldo | in the case of CAcert, we suport both OpenPGP and X.509, which mean we support the most used protocols, algorithm sets, specifications and techniques in the world |
@Evaldo | a nice feature of digital certificates is to allow "certificate sign on", which uses your loaded certificate to identify yourself to websites, eliminating the need for passwords |
@Evaldo | passwords are easy to copy, sniff, keylog too, meaning they are insecure for today's needs |
@Evaldo | Secure Devices are special equipment used to store and process private keys |
@Evaldo | we have two "main" kinds of secure devices: tokens and smartcards on one side, and hardware security modules on the other |
@Evaldo | SmartCards are well-known in many countries by now, while tokens are not so known. tokens are smartcards in usb enclosure, mostly |
@Evaldo | they normally have random number generator to avoid biased input, and they perform the decryption or signing of messages on the device, to avoid leaking the private keys |
@Evaldo | these devices normally are made on special material to avoid tampering, and self-destruct when a tamper or bruteforce condition happens |
@Evaldo | these devices are small and portable, but carry a limited set of information. normally from 4 to 200kb, enough to carry a few keys |
@Evaldo | smartcards and tokens vary in price on about USD 20 to USD 300, depending on the model and features |
@Evaldo | Hardware Security Modules, on the other hand, are devices to be used on servers, where high cryptographic load is expected, or higher key security is needed |
@Evaldo | Hardware Security Modules often have temperature, pressure, humidity, radiation sensors triggering autodestruction or key reset |
@Evaldo | made on special materials and coated with a wire net which ruptures and destructs the equipment if moved, covered with some special form of "tar" or "glue", and normally with a hard-to-open case |
@Evaldo | http://www.cl.cam.ac.uk/~rnc1/descrack/4758-big.jpg |
@Evaldo | this is an example of an internal hardware security module |
@Evaldo | this is the IBM 4758, evaluated in about USD 4000 or 5000 |
@Evaldo | on to cryptographic applications, I will be giving some examples about X.509 |
@Evaldo | X.509 certificates/keys can be used for digital signature, message encryption, including email, jabber and other protocols, powering SSL services like https or TLS-based smtp, pop3, imap |
@Evaldo | Code signatures as found in java applets, ActiveX, cellphone applications, mozilla firefox extensions and many others |
@Evaldo | certificate sign on, as I mentioned before |
@Evaldo | and establishing virtual private networks without the need of shared keys |
@Evaldo | let me introduce CAcert |
@Evaldo | CAcert is a certification authority that issues certificates for free, is platform independent, since we use open standards, technology neutral, be it X.509, OpenPGP or another suite we find interesting to support in the future, and it is operating since 2002 |
@Evaldo | Reasons for using CAcert.org services include the low cost, the widespread possibility, since some people can afford expensive certificates but others cannot or prefer not to, breaking some requisites for secure communications |
@Evaldo | CAcert separates identity verification from certificate issuing. this means more flexibility and less trouble when requesting many certificates |
@Evaldo | we allow unlimited amount of certificates to be issued by a user, with no fee at all, and we have a special section for organizations, done via the Organization Assurance process, easing the management of corporate certificates |
@Evaldo | CAcert's certificate authority currently resides in a secure datacenter, which is also used to store key servers of many australian banks |
@Evaldo | Our source code is available to download and audit, allowing people to see what they are running and what they are trusting |
@Evaldo | CAcert issues instant revocation lists, and supports online status verification. |
@Evaldo | we currently support client and server certificates, and the option to have code signing certificates and IDN domains, but more extensions are planned |
@Evaldo | we also support signing of users' OpenPGP keys |
@Evaldo | CAcert uses a Web of Trust approach to establishing trust. this means users themselves play a key role in identity verification process, and the users that are already assurers might assure other users, so they can get more points and use more features or eventually become assurers too |
@Evaldo | However, we demand that a special form is filled on the event of the assurance, and stored for some time, to allow quality assurance checks |
@Evaldo | some features require a minimum amount of points to take effect, as shown in slide 15 |
@Evaldo | slide 16 shows products that already include CAcert's root certificates, enabling users to use CAcert without the need to download our root certificates beforehand |
@Evaldo | CAcert has more than 43000 users today, 4000 of them are assurers, spread throughout the world |
@Evaldo | more than 57000 email addresses and 26000 domains have been verified, and are CAcert secured |
@Evaldo | CAcert issued more than 86000 certificates so far. (certificates can include several email addresses or several hostnames in a single certificate) |
@Evaldo | Behind CAcert.org, there is CAcert Incorporated, a nonprofit NSW, Australia association founded in 2003, that holds all CAcert assets |
@Evaldo | CAcert Incorporated is directed by a board of directors elected every year on the Annual General Meeting |
@Evaldo | I am open to questions, and thanks for the opportunity :) |
@Evaldo | anyone still here? :( |
Oroz | Evaldo: yes :) |
FANCHO | yes |
@Evaldo | :) |
Oroz | no questions tough 0:) |
@Evaldo | hehe |
FANCHO | thanks Evaldo |
znoG | evilbunny is involved with CAcert, isn't he? |
@Evaldo | znoG: yes |
znoG | Evaldo: is the CA for CAcert recognized on many browsers? |
znoG | ah, slide 16 shows products ... etc |
@Evaldo | znoG: not yet, but let me explain how it goes |
@Evaldo | mozilla, kde and other products did not have a position until recently |
@Evaldo | then kde said "we're closed for CA inclusions until we decide what we need to trust them" |
@Evaldo | and mozilla approved a policy for CA inclusion a few weeks ago |
znoG | oh, nice |
@Evaldo | so now they have an objective way of judging CAs |
znoG | what about IE, etc? |
@Evaldo | and we're undergoing an audit by them |
znoG | (netscape..) |
@Evaldo | IE requires some expensive certification, which we are not exactly able to afford every year, and even if we are certified, inclusion is not guaranteed |
@Evaldo | once mozilla accepts the CA, I think netscape is not going to be a problem, since they share quite a good deal of code and people |
znoG | yeah, true. |
znoG | who is CAcert targetted at? |
@Evaldo | pardon? I did not understand the question |
znoG | I mean, what types of sites are using CAcerts? (the vast mejority... F/OSS sites?) |
@Evaldo | znoG: well, right now we have fortune-500 companies, banks, telecommunication companies, users, FOSS projects, and even some cities are using our organizational services |
znoG | oh, i see. |
znoG | That's all the questions I have for now, thanks Evaldo. |
@Evaldo | np :) |
@Evaldo | by the way, if you guys want to meet me online, I use to be on irc.freenode.net and irc.cacert.org with the nick UdontKnow :) |
Oroz | many thanks Evaldo :) |
@Evaldo | you're welcome :) |