Overview of Certification Systems: x.509, CA, PGP and SKIP.

Presented at Black Hat USA 1999, July 8, 1999, 4 p.m. (60 minutes)

Cryptography and certification are considered necessary Internet features and must be used together, for example in e-commerce. This work deals with certification issues and reviews the three most common methods in use today, which are based on X.509 Certificates and Certification Authorities (CAs), PGP and, SKIP. These methods are respectively classified as directory, referral and collaborative based. For two parties in a dialogue the three methods are further classified as extrinsic, because they depend on references which are outside the scope of the dialogue. A series of conceptual, legal and implementation flaws are catalogued for each case, emphasizing X.509 and CAs, which helps to provide users with safety guidelines to be used when resolving certification issues. Governmental initiatives introducing Internet regulations on certification, such as by TTP, are also discussed with their pros and cons regarding security and privacy. Throughout, the paper stresses the basic paradox of security versus privacy when dealing with extrinsic certification systems, whether with X.509 or in combination with PGP. This paper has benefited from the feedback of the Internet community and its expanded on-line version has received more than 50,000 Internet visitors from more than 20,000 unique Internet sites, in 1997/98.

Presenters:

• Ed Gerck - The Meta-Certificate Group.
  Ed Gerck received his Doctorate in Physics from the Ludwig-Maximilians-Universitaet and the Max-Planck-Institut fuer Quantenoptik, in Munich, Germany, 1983, with the maximum grade ("sehr gut"). Since 1986 he has been active as a consultant and developer in the field of security and cryptography, for government agencies and international companies based in Brazil, the US and other countries. He is the founder and President of Novaware ISEC, developer of Holocomm encoding and other innovative communication and security software, such as the one-floppy WWW browser and e-mail agent WebBoy UMC in collaboration with IBM Japan. He is also the founder and current Coordinator of the Meta-Certificate Group - MCG, an open international non-profit group active in the field of Internet security and certification standards development, with participants from 28 countries. Ed Gerck has been appointed in 1999 to the NSI's RAB -- Registry Advisory Board of Network Solutions, Inc., Herndon, VA, US. Dr. Gerck's most recent papers can be found at the MCG site.

Similar Presentations:

• BSidesSF 2022 Rescheduled / Achieving HITRUST on a Budget
• Kiwicon V: It Goes b00m (2011) / CREST-NZ - What you need to know
• AppSec USA 2016 / Should there be an Underwriters Laboratories certification for software in IoT products?