Back To Schedule
Thursday, October 3 • 11:00am - 11:50am
Securing the digital certificate issuing process

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Public Key Cryptography is a reality in Brazil. For the past three years more than five million digital certificates were issued under the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil). This number is expected to grow more and more insofar as new applications created for using digital certificates are incorporated in the Brazilian’s everyday life.
A digital certificate is a digital file that binds a public key to a specific subject. It is usually issued by Certificate Authorities (CA), entities that are trusted by the public. The public key is mathematically related to a private key, which is supposed to be kept by (and only by) the subject.
The process of issuing digital certificates is crucial to the Certificate Authority operation. Through it, the digital certificate requesters perform the key pair generation and create a formal request (Certificate Signing Request), which is sent to the CA for validation and certificate file generation (formatted according the X.509 standard).
Important parts of this process take place in the requester/end-user environment, that is, the key pair generation, formal request creation and final installation of the digital certificate into the cryptographic repository. Security is obviously a critical issue in this scenario, mostly because we are dealing with an environment that is not controlled by the certificate authority: the end user’s one.
The purpose of this talk is to describe the path followed by Certisign Certificadora Digital S.A. through the years, searching to improve the digital certificate issuing operations that take place in the end user’s environment, focusing on usability and security. We are going to show the software components adopted, their evolution, problems faced and solutions applied. We are also going to take the opportunity to discuss trends, standards and projects under development in the field.
Emphasis will be placed on the Web Application security issues related to the digital certificate issuing process, since most of the existing Certificate Authorities make use of this kind of application to deliver services to their stakeholders and customers. It keeps representing a challenge to the application developers, as long as Web Browsers and Operating Systems impose a great number of restrictions on the interactions between the web page and cryptographic key repositories. Also, the currently known Web Application vulnerabilities represent an important threat to the end user and to the whole Public Key Infrastructure.

avatar for Bruno Ribeiro, M.Sc., CSSLP

Bruno Ribeiro, M.Sc., CSSLP

Software Development Coordinator, Certisign Certificadora Digital SA
Software Development Coordinator at Certisign Certificadora Digital SA with focus on business solutions. Expert in secure software engineering with 15 years of experience in analysis, development and requirement specification of security software. Master's Degree in Software Engineering... Read More →
avatar for Andre Ortiz

Andre Ortiz

Software Development Coordinator, Certisign Certificadora Digital SA
Software Development Coordinator at Certisign Certificadora Digital SA with focus on services solutions. Expert in software development with more than 10 years of experience in system administration, object oriented programming, software architecture and e-commerce applications. Bachelor... Read More →

Thursday October 3, 2013 11:00am - 11:50am PDT
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru