pki

Zitat des Tages

Written by  on August 16, 2016

Having more than one commercial CA provider can be a good decision to avoid vendor lock-in and provide a readily available alternative source of SSL certificates in the event a commercial CA is compromised.

Zitat des Tages

Written by  on August 15, 2016

If your SSL certificates on your Internet-facing e-commerce site expire, you will lose your customers’ trust resulting in a loss of buiness.

Zitat des Tages

Written by  on August 14, 2016

An expired SSL certificate in your network can have very real negative consequences, as it takes just one expired SSL certificate to put your business at risk.

Zitat des Tages

Written by  on August 13, 2016

For example, you may need an external commercially issued extended validation certificate for your e-commerce site at RSA248 with SHA256 where your internal server may be perfectly happy with an internally issued standard SSL certificate at RSA248 with SHA1 (for at least a little while longer).

Zitat des Tages

Written by  on August 10, 2016

Constantly check the secuirty of your CA operations.

Zitat des Tages

Written by  on August 9, 2016

CAs are becoming targets for attackers.

Zitat des Tages

Written by  on August 8, 2016

Plan on time to push new CA certificates out into your infrastructure and user base. Do not attempt to generate a new CA, and plan to stat using it to issue end-entity certificates on the same weekend!

Certificate Trust

Written by  on Juli 2, 2016

It is a bad practice to blindly trust an unknown certificate issued from an unknown CA.

Ach wie gut, dass mit dem Betriebssystem nicht Zertifikate hunderte unbekannter CAs mitgeliefert werden.

Log filtering

Written by  on Juli 1, 2016

Sensitive information should be filtered at the source during log generation.

Schützenswerte Daten, sollten erst gar nicht auf eventuell schlechter geschützte Systeme kommen.

CRL contents

Written by  on Juni 30, 2016

Per RFC 5280 specification, a complete CRL contains all unexpired certificates that have been revoked whithin the CA scope. Thus, each CA maintains its own CRL such that a relying party needs to deal with more than one CRL. The various CRL are posted on an accessible site where relying parties can download the certificate status information.