Questions tagged [public-key-infrastructure]
A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). There are three main categories of PKI: Web / SSL certs, corporate networks, and Government ID / ePassport.
1,369 questions
13
votes
3
answers
2k
views
Installing root certificates by government
The government of Kazakhstan, in order for citizens to use electronic government services (egov.kz), requires installing the NCALayer application on the computer for working with digital signatures. ...
- 131
1
vote
1
answer
279
views
mTLS with trust established through a chain of client certificates rather than a central CA
TL;DR: I want to forward-chain client certificates by including their successor public key as an extension. See Questions.
I am thinking about using client-side certificates in TLS (mTLS) as a more ...
- 11
3
votes
1
answer
1k
views
Can a public certificate provider impersonate an AD?
I do not know much about how MS Windows interprets client certificates but I was faced with a statement I have a hard time integrating.
The context: organization EXAMPLE has an Active Directory and an ...
- 9,238
3
votes
1
answer
4k
views
Are there any security concerns with this authentication flow?
I’m in the process of developing a native app and am currently trying to come up with a workflow to secure the communication between my app and the server.
I’ve done a lot of research and have not ...
- 41
0
votes
1
answer
130
views
Restrict gpg from decrypting a file encrypted by a subkey which is now expired or revoked [duplicate]
GPG allows file encryption for multiple recipients. I prefer to encrypt files:
Only to recipient subkeys shared with me by the intended recipients, like so:
$ gpg --encrypt --armor --recipient <...
2
votes
0
answers
145
views
Pros and Cons of implementing custom certificate provisioning for IoT devices
I`m working on a project for improving security of IoT devices by using per device X.509 certificate for authentication. The company uses IoT sensors, created inhouse, to gather data for analytics.
...
- 21
5
votes
5
answers
3k
views
How does a TLS client certificate prove the identity of the client?
About TLS Client Certificates
How does a TLS client certificate prove the identity of the client? Yes, only the client has the private key so a client-key handshake can be completed. But how does that ...
- 51
5
votes
2
answers
1k
views
When to use a CRL distribution point in a root certificate?
I understand that each certificate can have a CRL distribution point (extension 2.5.29.31) – or even multiple ones, but let's not consider that for the moment. Let's assume we have a root CA > ...
- 824
12
votes
3
answers
2k
views
Is it common practice to remove trusted certificate authorities (CA) located in untrusted countries?
With all currently ongoing global conflicts in the world, I was thinking about removing default trusted certificate authorities root certificates that are from countries that are (no longer) ...
- 7,725
2
votes
1
answer
255
views
How to manually test for invalid Route Origin Authorisation (ROA) and Route announcement validity?
Internet.nl checks a domain for some security settings among which:
Route Origin Authorisation existence and Route announcement validity for both the webserver and nameserver IP addresses.
They write:
...
- 7,725
1
vote
0
answers
214
views
Intermediate issuer field didn't match its CA subject field
While debugging yesterday's Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here's the relevant CA ...
- 139
1
vote
0
answers
113
views
where is the "DNS Format" for private keys described?
RFC6605: Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC has this example of a P-256 key:
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: GU6SnQ/Ou+...
- 1,830
1
vote
1
answer
375
views
How to determine hashing algorithm of a public key in the certificate?
The certificate has the fields Signature algorithm and Signature hash algorithm, which determine what algorithm the certificate was signed with, and Public key, which determines what algorithm the ...
0
votes
1
answer
267
views
Best Practices for WebAuthn FIDO2 reset
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:...
- 1
2
votes
1
answer
879
views
Is it possible to store or import an external private key into a TPM?
Let's assume I have 3 computers, each with its embedded TPM. I also have a pair of asymmetric keys, which I created elsewhere. I want to store & import the same external private key I have created ...
- 121
