Watch Out
Changes to SSL/TLS Certificate Validity Periods – September 2020
It was recently announced that Google Chrome will be joining Apple Safari in implementing a change to publicly trusted SSL/TLS certificates. This change, however, will impact organizations operating their own internal PKI as well. While the change was initially submitted to the official CA/Browser Forum, the vote failed last year. However, both Apple and Google…
Read MoreMicrosoft January Patches and CVE-2020-0601
Ignore Revocation Checking – The bane of my existence!
As students in my PKI training classes know, one of the areas I am a vocal about is the blind use of the CRLF_REVCHECK_IGNORE_OFFLINE setting in a PKI environment. I am so adamantly against the use of this setting, I personally refuse to ever explicitly share or type the syntax to enable this nasty beast.…
Read MoreWhat Your Browser Doesn’t Tell You Can Hurt You – Revocation and Internet Explorer
One of the topics I have been using as an example of revocation checking behavior in my PKI In-Depth class is the interesting case of Internet Explorer (IE) and its revocation behavior. Let’s take a moment and have you think about your assumption of how IE is behaving when you go to a HTTPS (SSL/TLS)…
Read MoreCertificate Transparency Enforcement and Microsoft CAs – Oct 2017 Deadline
To address some weaknesses in the public PKI trust process, Certificate Transparency (CT) was created to make it easier to detect and track fraudulent certificate issuance and use. The intent is that a small collection of log servers would contain information about valid certificates and browsers can check the log to see if a given certificate…
Read More