 All right, I think we'll get started so today we have the pleasure of having Ian Greg from CSRT here and If you if you know anything about SSL You probably know that SSL is a little bit of an elaborate scam to Which consists of taking people's money and selling them numbers Right now to be fair the the certificate authorities do some verifications Of your identity when you buy an SSL cert Or so we thought before the EFF released the findings from their SSL observatory Where they found for example that quite a few people around the world have a valid cert for 127.0.0.1 So maybe it's not all that great But anyways CSRT is a grassroots Response to the SSL cert business now CSRT believes that anybody should be able to afford SSL certificates Not just people who happen to live in rich countries that can afford to buy expensive numbers So anyways, that's a little bit of my rant that Please help me welcome Ian Greg Thanks, and it's good to be here This is nominally supposed to be an assurer training event and a training event for assurers Which we're going to do in the next session. The next session was too short for that event So we've sliced out some parts and put it into this session Which means this session is more like an open introduction. It's talking about things that General and that means I'm going to talk about stuff that I'm interested in If you want to hear something then you probably need to stick up your hands and ask I'd like to say thanks to Francois for this and also a big thanks to the the Linux people for actually having managed to get their disaster recovery plan to work I Would ask did they have a disaster recovery plan beforehand or did they invent it on the fly? Either way they got there. That's me. I am Ian Greg Commonly known as Ian G. I'm on various teams But the most important ones that we're talking about today assurance order and board This is a rough agenda for this part two things I would like to talk about SSL everywhere and Client certificates and then finally a bit about CA cert and where we fit into things and then the later Afternoon session is this assurer training event which starts out with CA cert and how it got affected by the audit process and Then goes on to the assurance side what you as an assurer need to know And we won't cover that area this time, but it'll be in the next session. How many people here are actually assurers About one how many people know about CA cert and are part of it? Okay. Oh, that's not bad. That's not bad. Okay So this talk here As you can see I've cobbled these slides together from a different set of areas. Oh Wrong one Okay, SSL everywhere. I just put this together in the half hour or so before this so it's the first time it's ever been seen What are we trying to do with SSL certificates We're trying to get SSL to protect stuff But what tended to happen over the last ten years it started in 2001 actually by 2003 it was proven and that's this thing called phishing While phishing was arising and other things started happening lots of breaches and so forth The response to this to my mind Consists of three things that we can do HTTPS everywhere is a new label which is being brought out by the EFF people Client certificates are something that can help there and so can CA cert. So that's what these The first thing I would talk about is this HTTPS everywhere thing What went wrong? This is the very much the helicopter view. This is not the technical view In phishing the attacker manages to convince Alice to go to the wrong website How he does that is another issue, but he's actually managed to do that. So let's start from that point at that point The browser is supposed to tell Alice that she's on the wrong website or she's on the right website or whatever She the browser is supposed to tell her that but the browser didn't tell her that so what went wrong? Well, it turns out that there's a big problem with the browser it runs two protocols HTTPS and HTTPS HTTPS the basic clear tech stuff doesn't say anything at all. It doesn't warn it doesn't do security at that level at all and Also HTTPS doesn't really say enough to be able to stop this happening Why is all this well we can look back in history and it's a lot of history. We're going back to 1994 when the web really started up Netscape was the big thing at the time And there were a set of browser wars going on firstly with mosaic and then moving on to Microsoft coming in a lot of stuff was going on then One of the responses was the SSL Development which had problems right from the start because they adopted a threat model which is probably inappropriate for various reasons All of this got caught up in a real estate war on the browser You've probably come across the padlock. How many people here know that the padlock is going to disappear a Few yes after 15 years the padlock is now deprecated in Mozilla Things are moving on then there's the whole CA business how the CA started up is an interesting story in itself The PKI concept is part of it special interests. We've all heard of the conspiracy theories. No doubt and and and and and and If you go into the history you end up getting the feeling that too much was going on and you really can't unravel Why SSL and browsers are as they are But we can look at the market and we can say what's going on here. Well, it's quite simple HTTP is overused. It's used everywhere for almost everything and HTTPS isn't used that much at all It's literally underused and now we can From our helicopter Look at the result of this and that is if all of the traffic more or less statistically speaking or 99% Or however you measure it if that's all HTTPS And if a tiny portion of the traffic is HTTPS, that's the protector stuff Then the attack will always be the same. It will be to downgrade from HTTPS To HTTPS and that's what phishing is it simply downgrades from one method to the other And the other just happens to have no warnings So to address that what we need is more HTTPS. We need more security more SSL At the least what we want is a whole lot more instead of 1% We want something like 10% and at 10% things start to happen people start to respond people to start to learn about it So why didn't that happen? Why don't we have HTTPS everywhere? It was originally meant to be everywhere But when it first came out speed was an issue as soon as you turned on HTTPS You lost about a factor of 10 on performance, but that was back in 1995 Now in 2010 we've got laptops that are fast. We've got servers that are fast Most of them are sitting there doing nothing the effect of switching to HTTPS is not very strong So we don't have to worry about speed anymore another factor was that there was a bug in SSL Now I say it's a bug although nobody much agrees with me The problem was that you need one IP number for one SSL connection to one site Which became a problem because fairly soon after the website started up everybody went to virtual hosting Across one IP number which worked fine, but you couldn't do it with SSL all of your Apache HTTPS and so forth are all set up to run multiple websites over one IP number and they can't do SSL over that There is now however a fix for this bug It's called TLSS and I SNI is server name indication. It's in HDPD Apache now Question is has it got to the Linux distros? I'm not quite sure on that The third reason is that certs are complicated and expensive you had to buy them and when you did buy them They were messy to install. They weren't like other things. They weren't like good start-up situations Where you download the software you get it up and going and away you go So it's a complicated and this is where CSR comes in. We try to deliver free certs That's one of those two issues there sold Now what can you do right now? I'm conscious of the fact that I'm speaking to the Linux community Linux run just about all the web servers in the world by statistical basis Because you're all doing virtual servers You can all make a big difference by looking for this TLSS and I server name indication patch It's shipping in the HDPD. I'm not sure how many does anybody know how many distros are actually shipping with TLSS and SNI yet Nobody how can you tell I don't know The bug got fixed or it got distributed out of HDPD about one to two years ago It was ten years coming that particular bug Okay, what you can do is look for that Get it running on your Linux servers Switch all of your virtual servers across to SSL across using sharing your one IP number And that way we build up the number of SSL websites Why am I saying this? The thing is that we're missing out on a whole lot of security because we have so few HDPS websites The downgrade attack is very easy. Nobody notices when The attacker manages to switch you across to HDPD The solution to that is to get more HDPS more SSL out there Once we've got more people out there more SSL out there people get more Familiar with it and it also puts more pressure on the browser people to work on the user interface There are a lot of good user interface ideas out there, but unfortunately They've all been downgraded because not many people are using SSL The browsers are not that interested in this problem The other thing is that It isn't going to affect that this change isn't going to come through From the big institutions the banks and so forth which care about SSL and so forth aren't going to do anything about it What's going to happen is once the TLSS and I Starts to filter through once the grassroots Linux people can start to do Virtual SSL sites the experience will build up and the demand will build up from in from the lower side And then that experience will bounce up will move up the tree to the high end areas such as the banks that do need the protection Okay, that's my if you like my personal rant on why we need more HDPS Does anybody want to challenge me on that? Yeah Does it require? Yes, yes, but all the browsers have supported it for years I mean, I think there's like one browser in one version that doesn't support it or something like that Sorry Ie six doesn't yeah. Yeah It's always this check and a neg problem. Yeah, there's always some laggard But as far as the browser world is concerned, we're waiting for Apache I'm not sure whether Ie has it, but I guess that's not interesting to this audience, right Yes I Think because the browsers have it once Apache once the Apache website start to use it The push will come through that way if this was put up and done They probably wouldn't be able to see they wouldn't be able to understand the certificate. So they probably have to click through Yeah, and that's not a bad thing. Is it they should be upgrading? Okay? So what else can we do? We can do client certs Now this is kind of a self-interested thing because CA cert delivers client certs and it can do and there's no problems We come up to the other problems a bit later Client certificates are a funny beast They address an authentication problem Authentication this whole idea of knowing who you're dealing with it went through a whole bunch of phases Which I sort of put some numbers on there right in the beginning of the internet. This is probably pre-web times Everybody was using email and so forth and everybody was more or less trusted on the internet and that didn't last very long Then somebody came up with the idea of passwords and usernames and that went for a while Then the whole web thing started up and web once the web started up the internet became for the masses at that stage We got to the idea of single sign-on. This was the the stuff people were talking about in the late 1990s and then in the early 2000s people were talking about Federation and so forth this whole authentication thing goes on There's there's other things going on now What is it identica and open ID and things like that? What kind of went wrong well if you don't have something then there are too many people on the net and Some of those people are entrusted passwords have a problem with complexity if you've got too many sites and You've got people crunching passwords. You need passwords, which are too long So you've got this end times end problem and then once that happens once you've got each person having too many too much complex passwords you get into this security and support problem too many people losing their passwords The problem with SSO and Federation was more or less this situation of technology versus sites Everybody had to have a method every site had to have a method and you ended up with a lack of a wide spread adoption There was also the issue with who's got your data It was a bit scary because a lot of people were talking about Federation from the point of view of One trusted party looking after your data, but who really believes that? and even the Businesses were starting to get a little bit scared about that because they were seeing their customer data Lent out to other people and that's something that does scare businesses Businesses do care about privacy as long as they're in control. They're very happy But if somebody else has got their customer data, that's the worst thing that can happen to them So the thing is why don't we have computers and technologies and protocols to do this? Well, we already do it's called client certificates and if you look at it from a sort of Information-theoretic point of view public private keys are like extremely complicated passwords which are tied one for one with big numbers they are and From a technical point of view they can replace passwords quite easily There's another great advantage to them every browser and every web server has this code in Unlike some of the other technologies that we've talked We've heard about all of these buzzwords that you hear about This stuff is already in there. It's been in there for a long time. So why didn't they work out? Well, it wasn't because of the software It wasn't so much because the data was at risk or the customers were at risk it was again this chicken and egg problem every person needed a certificate and every site needed to switch on the certificate the client certificate access Which meant that every site would look at the people who had client certificates and almost nobody has them and Every user would look at client certificates and say oh, but none of the sites require it. You've got this chicken and egg problem Yeah Because there wasn't enough demand for the product the browser programmers weren't putting enough effort into the working of the software and the end result is that the Interfaces are quite buggy. There's a lot of difficulties there So this is kind of a story about how CA sir got into the business of solving this accidentally Certificates, they're supposed to be about identity and they're supposed to be about assurance they're supposed to mean something and the way the CA business has evolved not through Grand thought or strategy, but through accidental circumstances CA's check your identity and Then they can issue a certificate now We ended up in CA sir with something like at the time 10,000 assurers around the world mostly concentrated in Europe CA sir Just as a digression which comes in a bit later. I guess see a sir. It was started in Australia However, it wasn't particularly successful in Australia in terms of numbers initially It was quite successful, but it moved to Europe and we have a very strong base in Europe These these assurers that are all all the way around the world Needed to be audited they needed an audit said they needed to be tested They needed to be to meet a minimum standard So what happened was we at CA sir sat down and thought about this and said, okay We'll create an online test. We'll do a simple basic test, which we called CSR automatic testing system and we said, okay a Bunch of multiple choice questions every assurer must go through this We're talking about 10,000 people there And at that point we also had an inspiration. How do we know who is an assurer and whether you are an assurer? Well, we said, okay. You've got to have a client certificate from CA cert Why did we do that? Well a bunch of reasons could be put forward because we're a CA It's so cool to do so We wanted our assurers to know about certs client certs. Yeah, that's a good reason Actually we kind of did it because we had the feeling that this was the way to go The cat system only accepts client certificates You can't get into there with usernames of passwords and so forth So as an assurer, you've got to go get your client certificate go into cats Do your 25 multiple choice questions and then you can pass the challenge and be an assurer It worked it worked it went live in early 2008 It was obligatory in 2009 which meant that you couldn't be an assurer without this when it started We had 10,000 or so of these assurers and immediately it dropped down to zero By the fact that nobody had done the challenge very quickly it came up into the low hundreds and Climbed and climbed today or as of last night. I checked it. It's 4,136 that's people around the world who've connected in and passed their assurance challenge and The thing there is that the end result is we are a lot stronger because we have this test or this Objective test of what these people can do what they know and so forth So it worked out as a big process for us, but it also meant they all know about client certificates They all have a client certificate. We now can make the statement every one of our assurers has a client certificate Which means that We can now move across to all of our websites and that's what we've been doing and turn them all onto client certificate Access we can throw away with usernames and passwords and this is what we've been doing We've migrated so far the WordPress the Simpa the mailing lists a voting tool There's a bunch of other things such as Surveys and testing It's it's basically something that's on the sys admin work list and has been for the last year or two to move every system across to client cert Results now what is this meant for the blog? It's fairly it's fairly clear If you've got a certificate you can get right access to our blog You don't need to ask anybody You don't need to get permission. We've got a blog that speaks out to this entire community there And we don't have to worry about spam because to be a spammer You'd have to go and join the association join the community get your client certificate and then start accessing the the blog It's too much work for a spammer and So consequently we've now got a situation where we've lost We don't worry about lost accounts anymore. People just go and get another client certificate We don't have to worry about passwords being lost. So our administrator who's Generally bogged down doing this sort of administration is now doing other things. It's released that person on to other work and there's also no more arguments about who is Allowed to access the blog who's allowed to write a post who's allowed to speak to the user community everybody's allowed everybody can get into our blog and write a post and it's a fairly Middle-ranking reasonably ranked blog with a lot of links So we end up having a lot more authors and a lot more users writing their posts This has been sort of duplicated across the other sites where we've used client certificates Once you get over the hump of getting everybody to have client certificates You get more productivity But there are a bunch of gotchas a bunch of problems firstly as the gentleman down the the bottom here said there are problems the Firefox for example gets confused about multiple certificates. So if you've got two three four five certificates in your web browser Firefox isn't so good at deciding which certificate to use in which place and basically what we're doing here is we're waiting for the guys over in The Firefox team to add weight this thing to add an ability to record which certificate goes to which Which place that's that's one issue the second issue is that you get a bunch of crazy messages and The root of this is if the Apache is somewhat misconfigured and that's a very broad term and It doesn't like your certificate for some reason or other it will treat it as a security problem and dump the SSL connection So what then happens is the browser sees an SSL protocol error Instead of saying oh your certificate isn't quite right We need you to go and get it renewed or you need a certificate from another vendor or something like that it gives the user a protocol error and The user really isn't equipped to be able to deal with any of these random errors which are popped up This is just an artifact having looked at both sides of the argument It's an artifact of not enough demand for the product once client certificates are in more you widespread use and once People have had more arguments the developers on both sides will get together and start agreeing How to deal with these strange client certificates? We just need more user complaints. That's my view there There's The next thing is how do you actually use these things? There's several strategies You might find yourself using passwords and client certificates as well and this is going to happen if your user base is already using Passwords and you're adding client certificates The problem with this is a bit too much like the existing problems with HTTP You've got an attack between the gap You've got a downgrade if you like a downgrade attack if you've got multiple methods. You will always have problems Also, you're always coding around the edge You're always trying to code around the best way to move between passwords and client certificates It's more work. So you're better off going for client certificates only Why as it says there only do that if you have to For example, the CA cert main website does take passwords because everybody's got a password We won't be able to switch that off for a long time The second strategy is to only use client certs That's the only way you do it and this in this in essence amounts to outsourcing your password problem to the CA client certificate vendor now Here we find a bunch of questions firstly Apache There's several ways to do this you can do you can do the processing within Apache using the various config files and so forth the problem with Apache is that it's got quite a Complicated way of arranging its client certificates and this is mingled in with a complicated way of dealing with its Directories and various other permissions. So the end result is Apache does like too little or too much. It's it's always a bit messy The alternative is to put all of the processing in your application and This is good. If you've got control of your application, which is to say if you're doing your PHP programming Then you can do all the processing yourself to be able to deal with it. So what you do is you turn your Apache into transparent mode, which is easy enough. It just ships the information up from Apache as the client certificate comes in you get this bunch of variables telling you precisely what the client certificate is about and Then in PHP or whatever language it is you can read off this information and make your assessment That works out to be better because there you can get much more control about what you're doing You've just got to write some code if you're installing some of their application however, like one of the ones straight off the web it's it's a bit harder because That's already written The third gotcha is that certificates can and do change every year or two people get a new cert And this is where it becomes very valuable to do your own coding with client certificates You can read the certificate straight into a database. That's a good idea Once you've got that certificate you extract out the information you need which is primarily the username and the email address and As the new certificates come in The first time you see a certificate. It's unfamiliar. It's not found in your database of certificates But you can match on the name you can match on the email address Now as long as the person carries on using the same name the same email address You have essentially a capability to swap from client certificate to client certificate and it becomes a fairly seamless painless user experience If the user goes and changes their name or their email address or both Then you needed a bit more thinking a bit more intervention at the sysadmin level Just to conclude that client certificates do work and they do work very well We've been using them for a couple years. They've solved a lot of problems They reduce the complexity they Save us a lot of administration headaches There are the methods. Yes, there's open ID client certificates using SSL are a higher security solution The problem with other solutions such as open ID. There's also Open or visit Etc. Etc. You still have to get that deployed widely enough into the code bases into the applications and so forth So client certificates have the ability that they're already there the benefit They're already there all you have to do is start configuring them and getting your users to use them How do you get your users to use them? well One way you can do it is simply instruct all your users to join co-cert and get a client certificate That's what I've done at one of my Institutions that I was of working with where we had a bunch of system administrators. We simply told them, okay from now on You're all part of co-cert as a system administrator You get your certificate and then in you go into the various applications You can do that if it's small If you start off with a new site Then you can use the certificates to pull people in that's helpful or alternatively you can build a an internal factory CA which distributes the certificates straight out of the website to the users That's the end of that Okay question Why can't we use it? So how do you deal with? Portability if you do use client certs as as your author method for your site Like how do you log in from someone else's browser or an internet cafe or whatever when you're not using your laptop You can't really do that Client certificates are for the user who's basically using their own machine And their own browser. I Have a little bit of a difficulty wondering how you can secure access in a net cafe when somebody else owns the machine and Theoretically cleans it up. So I it's one of these areas where it's kind of difficult. Can you really make that work? I don't know, but yes portability is not a not a good answer Yes Yes We will see this issue In the future as more and more smartphones get more and more browsers Using that sort of access material To an extent we spent the last ten years Securing our laptops and now we're going to start the whole game again with smartphones And smartphones are going to be hit by viruses and various other problems And they're going to be a way behind the laptops or the desktops. So It's an ongoing issue You can kind of see it as a battle of attacker versus defender third part of this Has disappeared Bear with me while I go searching for the third part of this talk Which is one of your other proposed solutions It's a total mess because everybody's got their own protocol It It could be To be honest, I don't know very much about open ID I think on their own admission they indicate that it's a fairly Medium-to-low security solution. It's more a single sign-on Thing which gets you up and going which is good, which is good there is a System called identica. I think it's called which converts certificates into open ID Which allows you to use your certificate? go to Set up your open ID Hooks or however it works and then you can go and use any open ID system Yes, yes Which is a good hybrid. There's nothing wrong with that. Does CSR offer that? It's interesting. It's already there. Identica is is doing it And and CSR it's got a little bit of a dilemma there because as soon as we start talking about it people will say Oh CSR approves of this and we don't know who is doing it. We don't know the people behind identica we tried to find out but They're not responding So we're trying to be quiet about it because we just don't want to scare anybody away There's a few around. Yeah So That's our experience. We ask people and they say not us Okay, here we go Finally CSR now you're all most of the people here and use the CSR And we don't have a good presentation for that sort of thing, but this is what I've cobbled up CSR is a certificate authority certification authority Now the problem with these beasts is that they have all this power to issue certificates to people and Supposedly these certificates are good for something supposedly we can rely on the certificates, which means they're kind of scary and The way the browser world has responded to this this kind of scary situation is that they require every CA to get audited CA cert has not got an audit. So it's not currently in any of the browsers so consequently Back in 2005 they start at the process of getting audited And the last five years have been the history of CA cert getting audited and it has been a five-year story So a lot of our documentation starts from that point Who we are we are a community CA which is to say you join you're in the community We are all volunteers We have as I mentioned four thousand plus plus assures people are checking the various identity aspects Strongly based in Europe, especially Germany a lot of people over 800 in the USA and a smattering across South America And a few across all the various other places. It started in Sydney to do with wireless networking in Sydney and Quickly spread across Australia and then out to the rest of the world However, we have the problem that we're very under represented in Australia our association which runs the Which is if you like the executive part Has something like three Australian members amongst 60 worldwide members and we need Australian membership hence. I'm here also Banging the drum to try and build up our Australian membership To get a bit more balance into the The whole community We are challenged by this audit process We have to get the audit to get into the browsers and this has caused a Big lot of changes a lump of changes across the way it works The first audit went into high gear in 2009 It hit an immediate difficulty in the the executive the board and the various managers Didn't have the capacity to respond to the auditors requests now when I say that I'm being a little bit deceptive I was the auditor and I requested various things from co-cert and they weren't able to respond The the deeper reason was that the community itself had been Encouraged by previous boards and presidents and so forth to not worry about things to be patient and Wait because somebody's doing the audit and this didn't really work out because everybody sat in their arses and did nothing So consequently we've been going through a big Rethinking process of trying to push all the work out from the center Which wasn't doing anything out to the community which are capable of doing things. We have a very big community We have a lot of good people and if we can bring them in and start working on these various issues We can get them done So the last year two years was about getting that message out and we've more or less done that So I need to update these slides The community has the capacity for doing the audit So that's part one change the message to build up the capacity This is what we have been doing and I'm going to run through the list of teams here these slides are more or less internal marketing and Five engage the auditor for the next two audits All right, let's let's talk about co-cert from the vertical point of view Which is to say if you're at the side you can see three vertical areas In a business sense. We have these areas one is the assurance and this is in PKI terms It's the registration authority. They call it of the RA and this is the 4,000 assurers that are out there across the world doing these verifications and There's the systems and this is the classical certification authority. It just issues the certificates According to the information that comes from the previous group the assurance and then there's the community which is the larger body And these are the people who have certificates who rely on certificates If you join CA cert as a community member, you will be part of the community That group is estimated about 20,000 people We don't have hard numbers on that because it's too easy to create an account and get a certificate Consequently, we have something like I think it's a hundred thousand accounts And most of them haven't been touched for a long time my estimate there is about 20,000 people in the community So in terms of the teams we have a group of people doing business operations And these are essentially the sort of managerial functions you will see In your workplace that aren't technical a Big group doing policy we have something like 20 people monitoring the policy groups to create the documentation And I'll just say a little bit about that CA sir is different to most open source organizations. I suspect we're kind of unique I only know one organization that comes close and that is because we are required to get an audit We are required to have business like processes specifically audit works like this it's We do what we say and we say what we do That's a kind of mantra that comes from the audit world. We do what we say and we say what we do Which means we have to say everything that we're doing Which means we need documentation and serious documentation that can be tested and this is kind of novel But in most of the open-source world the code is the documentation the code tells you what's going to happen And people just dive in and change the code Where they where they want to where they can So see a cert has had to take all of its processes and dump them into documentation And this has been a four-year effort, which is now complete Then there's teams for the assurance side We have an events team which runs around does these ATEs So today I'm here as part of the events team doing this particular event There is an education team which prepares the challenges That's the the assure a challenge. We also have a support challenge coming up and Various other initiatives around the place. We have organization insurers There's about 10 or 15 organization insurers and that's to really deal with companies and so forth dispute resolution is something that is a Newer area for co-cert We have something like 10 arbitrators around the world listed who can rule on the various disputes I'll say a bit more about that. They're supported by case managers Those were all business aspects which are fairly standard across business and now we get to the technical side in the technical side We've got teams for triage and support engineers Software is a little bit of a black mark for us, but we do have now a good testing team We have development of the PHP code and we also have software assessment And these are controlled areas For systems administration We have several groups doing this So the takeaway from all that is we have a lot of teams But all of those teams have something in common these days and that is you need a little bit of familiarity with co-cert so You need to have spent a little bit of time You need to be an assurer these days That's because we require a certain amount of reliability Which then gets fed up to the audit process? an Assurer the the role of assurer is where we can put that Stake we can put that label on saying this person's reliable Everybody tends to help with recruiting and training But more than other organizations We also need a little bit of attention to detail and the detail here is we have a bunch of policies And you have to follow them we have practices and when things go wrong We have a formal process for resolving issues, which is to say we have a thing called arbitration which allows us to resolve difficulties in a quasi legal fashion Okay, so now I'm just going to run through the various teams that are out there Senior assurers help and run these ATEs. That's what I'm going to be doing this afternoon And basically help around the place Blah blah blah blah Okay, not to worry about that. Okay policy group policy group is very interesting because it's open But we set firm rules we create policies and the policies are Written and approved through a democratic or voting process. They then become binding on every member of the community So if you've joined if you've just signed up at the website You may suddenly find that you're bound by certain documents and these documents are created in an open web in an open mail list So anybody can join and practice this part and to an extent the policy group is like our legislature It's like our parliament Organization assurers. They're basically just very good with assurance and they know more about companies and so forth Arbitrators another big difference with co-cert, which I will cover in some depth in the ATE process of the ATE section later on We have a formal method of resolving disputes and I'll just say a little bit about that Certificates are supposed to be important They're supposed to secure things. They're supposed to be reliable We are supposed to be able to use these certificates for all sorts of important things like online banking like security and so forth What happens if something goes wrong? If something goes wrong, somebody's out of money somebody's out of pocket some damage is done How do we resolve that situation? The classical answer is you go to the courts and you sue somebody Now see I said for one reason or another which I kind of get into in the next section Has chosen to not go to the courts instead. It's brought it all in and created its own arbitration forum, which is to say its own legal way of resolving disputes Based on a thing called the arbitration Act in every country So we have something like 10 people around the world who are listed as arbitrators They will hear a case and deliver a ruling which is legally binding and which can if it's done Well, and there's no problems with it. It can be taken into a court and respected by that court So that gives us an answer as to how we resolve disputes So these people are very important to us because they're actually Making changes to the way we work and they can do so in a quite solid legally binding fashion Case managers support the arbitrators Generally the way it's worked which wasn't intended the arbitrators will work in Buddy pairs one of them will be the case manager. The other will be the arbitrator the next case. They'll swap around Triage to support people they're the front line basically what they do is they see this the incoming support traffic and they quickly Direct it to one of several locations So they're able to dive into web apps and follow the staff and get a few and quickly directed a ground It's the starting place for a lot of things because it gives you a good familiarity with what's going on Which leads us to the critical roles Because we are dealing with privacy information and because we're dealing with these certificates Which are powerful and they're audited and so forth. We require people who have powerful access the route System administrators as it were in a conceptual sense to be checked out and Rolls that come under our security policy Require a background check which is called ABC. It's called that because the arbitrators run the background check They're an independent voice over the various recruiting activities of the team leader. The team leader has to propose somebody and The the board has to finally approve so Support engineers are put through this process because they do have the power to adjust people's accounts Software we have a situation with software. We have two bodies of software one of which is new and hardly started the other which is the old Running software and that's PHP requires a lot of patience to deal with it because it wasn't written in a good fashion to start off with To to support this we have a bunch of people working as testers and software assessors Infrastructure team these are the people who manage all the other systems not the CA itself access engineers are people located in the Netherlands in 80 which is a little town which has a very secure data center They will control system administrators going in there be present for every access and they are the physical liner protection Chris critical system administrators. These are your classic system administrators running the CA itself They always work with other people. There's always four eyes Audit team. I'll leave that See a certain corporated This is the association that owns the legal part of CSR. It's a New South Wales Association of members We've got about 60 people on the books. We're always adding more. It's very easy to get in There's not very much to do in CA cert Inc Unless you're on the board in which case there's a little bit to do It's the counterparty to every other person and that's the 20,000 active people around the world So it's quite important and it also acts as the final deciding point There's seven members normally on the committee We appoint various roles and we oversee things We also implement the policies which is is curious because we have outsourced the control of policies to somewhere else as An institution as an association. We are bound by a group of people that are outside the association So from a governance perspective, this is the helicopter view We actually have three heads of power three Central areas which are very powerful in and of themselves the policy group that open group can create binding policy The arbitration people can deliver the rulings in any dispute and they can knock policies down and the board is Supposed to implement those policies and also follow the arbitration rulings But the board itself also appoints people who are arbitrators So we end up with this three-legged stool Which actually mirrors the classical Western democracy thing of the legislature the judiciary and the executive And this has worked very well for us We've had a number of bun fights between these various groups and at the end of the day everybody said okay You've got your power. You can beat us on that point. We'll beat you on another point Let's all sit down and work it out None of these groups has been able to achieve supremacy So what are we up to? Building these teams the last annual report showed us something like 40 people who were consistently Permanently involved in the situation in CA cert And another message for our internal team, what can we do for the audit? Okay? that brings me to the end of that ad hoc description of CA cert and Questions web trust is the starting point for a lot of audit processes for browsers We are actually under a much fiercer regime called DRC for David Ross criteria. This is part of the next talk David Ross took the web trust audit criteria and rewrote it. He took their 25 points and expanded it out to 150 points and he also rejigged it completely and if you like web trust is focused to keeping the CA's in business and David Ross rewrote it such that it addressed the user's interests So it's a very different process. It more or less covers the entirety of web trust But a lot more as well and that extra part is what makes CEO cert different Yes, I mean that is basically our our strategy if you like we do issue those certificates to businesses They're of limited use because of the the problem with not being in the browsers We have been basically working to get into the browsers and get the audit process done for the last five years or so It's a lot of work. It's a lot more work than open source groups really Anticipate or understand so last question before the before the afternoon tea After that that you can come back and they'll be the sure training event Just gonna ask just from a very general perspective What does an assura actually do and is this next session intended that any of us become an assura? I just don't really Not really aware of what the next session entails entirely. Yeah What does an assura do and is the next session intended to make all of you assurers? It's a cautious. Yes in the sense that certainly please turn up learn how to be an assurer It's oriented towards people who are already assurers and need to upgrade their skills over the last few years worth of big changes But practically speaking you will find out what it takes to be an assura What and then to prejudge that or to predict that talk? What does it take to be an assura? You have to help Verify the identity and a bunch of other points of each person you come across You created piece of paper Documentary evidence for that enter the points into the system and that way you add confidence to our web of trust In and our web of trust is intended to provide a statement over every member of the community Assurers collect the information for that if that makes sense From a totally non-official Point of view it's kind of like The GPG web of trust except that one big difference is that you download a form from the CSO website That's what you fill out and you keep that form for seven years. That's a main main difference Yeah, but is it is essentially the same thing like checking someone's passport kind of thing It's essentially the same steps. CSO has a formalized web of trust Whereas the GPG or PGP web of trust is casual informal And you'll find most people in CS are also part of the GPG and PGP communities So we'll see hopefully most of you after a break