http://aaa-sec.com/index.htmlNewsenstefans@exmsft.comCopyright 2009 3xA Security AB2011-05-11T21:18:55+02:00 hourly 1 2000-01-01T12:00+00:00 Wed, 04 Mar 2009 04:13:45 +0100stefans@exmsft.comAll, Protocols2011-05-11T21:18:55+02:00http://aaa-sec.com/web/blog_files/2506148b0526e4b7752d3994b932c08c-32.html#unique-entry-id-32http://aaa-sec.com/web/blog_files/2506148b0526e4b7752d3994b932c08c-32.html#unique-entry-id-32http://tools.ietf.org/html/rfc6170).
]]>stefans@exmsft.comAllProtocols2010-04-30T09:51:19+02:00http://aaa-sec.com/web/blog_files/7a758359ab51fdb087e1654879ee4707-31.html#unique-entry-id-31http://aaa-sec.com/web/blog_files/7a758359ab51fdb087e1654879ee4707-31.html#unique-entry-id-31
Read more about this at: http://blogs.technet.com/office2010/archive/2009/12/08/digital-signitures-in-office-2010.aspx

This format builds on the XML Digital signature standard from W3C which is the globally accepted standard for XML signatures.
]]>stefans@exmsft.comAllProtocols2009-11-16T06:34:40+01:00http://aaa-sec.com/web/blog_files/9c86970fcb87da6df1f269a3e3be8f58-30.html#unique-entry-id-30http://aaa-sec.com/web/blog_files/9c86970fcb87da6df1f269a3e3be8f58-30.html#unique-entry-id-30Many protocols just deal with 7-bit ASCII on the basic protocol level while there is an increasing demand for information expression in local languages at the application layer. Various protocols like Internet mail and DNS has addressed this issue by defining conventions to carry international characters over 7-bit ASCII. The problem is rather straightforward as long as the task is limited to presentation of data in a local language context, but grows to a very hard problem when the task is expanded to comparison of canonicalized strings from different sources. The problem is even harder if consistency between visual matching and matching of encoded character strings is required.

The technical plenary at the 76th IETF in Hiroshima (November 8-13 2009) recently focused in on this particular problem.]]>stefans@exmsft.comAllProtocols2009-11-12T03:19:53+01:00http://aaa-sec.com/web/blog_files/5bd497a98cdaf062d3386232d0e858bd-29.html#unique-entry-id-29http://aaa-sec.com/web/blog_files/5bd497a98cdaf062d3386232d0e858bd-29.html#unique-entry-id-29
My slides for the TLS meeting today at the Hiroshima IETF, showing the basic approach. is available here: Cached Info (PDF).


]]>stefans@exmsft.comAllProtocols2009-11-12T02:49:08+01:00http://aaa-sec.com/web/blog_files/42ed6cd9167709ace8cb0e61511f8395-28.html#unique-entry-id-28http://aaa-sec.com/web/blog_files/42ed6cd9167709ace8cb0e61511f8395-28.html#unique-entry-id-28
The discovery is that current deployment of domain name matching between the domain expressed in the certificate and the domain protected by the certificate use string matching which treat character 00 (\0) as end of string.
]]>stefans@exmsft.comAllProtocols'2009-11-12T02:32:32+01:00http://aaa-sec.com/web/blog_files/f54f5e42d7188c2dd5b6355b7014b8da-27.html#unique-entry-id-27http://aaa-sec.com/web/blog_files/f54f5e42d7188c2dd5b6355b7014b8da-27.html#unique-entry-id-27stefans@exmsft.comAll2009-09-15T11:08:21+02:00http://aaa-sec.com/web/blog_files/b8f16511b763ae9088573e256c16d9bd-26.html#unique-entry-id-26http://aaa-sec.com/web/blog_files/b8f16511b763ae9088573e256c16d9bd-26.html#unique-entry-id-26
One goal is to write something everyday regardless of whether you have anything to say or not. That is not the path i I like to choose.
So I like to turn here and write about things that;

1. i find interesting,
2. i think someone else might have interest in, and;
3. does not violate reasonable confidentiality agreements with my customers.

Unfortunately the third is quite a limiting factor. Sometimes the most interesting things at hand I would like to write about is something that my customers do not wish to have published on my blog. And that is something I have to respect.
]]>stefans@exmsft.comAllAuthentication2009-07-15T23:27:51+02:00http://aaa-sec.com/web/blog_files/51eed15e5c72e76a760b5bf146d68834-25.html#unique-entry-id-25http://aaa-sec.com/web/blog_files/51eed15e5c72e76a760b5bf146d68834-25.html#unique-entry-id-25The basic problem is that modern websites combines information from many sources simultaneously when providing services to users. The problem a browser faces is to decide when it is valid to show the Extended Validation protection level by the “green bar”, or similar UI distinction, when only part of the visible content is provided through an EV certificate protected TLS(SSL) session.
Some sites, such as PayPal provide part of the content through EV protected TLS while other parts are just protected using a Domain Validation (DV) certificate, but web browsers will still regard the whole session as EV protected.

The researchers claim to have found an attack that effectively exploits this and will present their result at the upcoming Black Hat conference.
]]>stefans@exmsft.comAllSignatures2009-07-03T03:08:33+02:00http://aaa-sec.com/web/blog_files/46c6b6d2884b9af82c69d7698995e114-24.html#unique-entry-id-24http://aaa-sec.com/web/blog_files/46c6b6d2884b9af82c69d7698995e114-24.html#unique-entry-id-24The background of the electronic signature directive and the electronic signature standards in Europe makes this a hard and potentially dangerous task where we run a risk of disqualifying most signature capable products for no obvious gain.
]]>stefans@exmsft.comAllAuthenticationEvents2009-06-29T23:46:54+02:00http://aaa-sec.com/web/blog_files/4176dc973cf2d8806754c9f567725e30-23.html#unique-entry-id-23http://aaa-sec.com/web/blog_files/4176dc973cf2d8806754c9f567725e30-23.html#unique-entry-id-23The EU Commission funded project STORK announced during its second Industry Group Meeting, that they have decided on SAML 2.0 as protocol for its technical architecture.
The STORK project is the primary pilot project assigned by the EU commission to test cross border electronic identification between citizens and electronic services across Europe.

The first Industry Group Meeting resulted in feedback suggesting that the proposed architecture have potential vulnerabilities with respect to man in the middle attacks.
The combination of the solution to this problem and the selection of SAML 2.0 as the protocol of choice effectively prevents the use of the Information Card technology developed by the Industry during the past five years. The reason for this is that the Information Card model, which also use SAML assertions, uses WS-Trust as its primary exchange protocol and not pure SAML.
]]>stefans@exmsft.comAll2009-06-17T04:32:33+02:00http://aaa-sec.com/web/blog_files/4a6155e1e5264151eb5e57e7d3131cd9-22.html#unique-entry-id-22http://aaa-sec.com/web/blog_files/4a6155e1e5264151eb5e57e7d3131cd9-22.html#unique-entry-id-22I have written and made available an Internet Draft editor for writing drafts in Nroff format.
The Nroff format was the dominant way to format draft and RFC documents in the past and many draft writers still use the Nroff format with some command line compiler.

As I failed to find any decent application with which I could edit an nroff file and see the result in one application, I decided to write my own in

NroffEdit as a Java application distributed as jar file and is prepared for Mac and Windows.

For more information see http://aaa-sec.com/nroffedit/index.html

I appreciate any comments, feedback suggestions or bug reports.
]]>stefans@exmsft.comAllVisual eIDProtocols2009-05-14T14:35:19+02:00http://aaa-sec.com/web/blog_files/5e9f8a9fd0e2c17829a8b22cdc25db11-21.html#unique-entry-id-21http://aaa-sec.com/web/blog_files/5e9f8a9fd0e2c17829a8b22cdc25db11-21.html#unique-entry-id-21The PKIX group of the Internet Engineering Task Force has decided to adopt the work item to develop a standard for visual representation of e-identification certificates.

The PKIX group accepted the draft proposed by the Visual eID project as starting point for the standards work.
The current PKIX draft can be found here.]]>stefans@exmsft.comVisual eIDAll2009-05-04T11:11:16+02:00http://aaa-sec.com/web/blog_files/f30de9140c7ef3cbfaef20b4b7ca9fb3-20.html#unique-entry-id-20http://aaa-sec.com/web/blog_files/f30de9140c7ef3cbfaef20b4b7ca9fb3-20.html#unique-entry-id-20The current status of the Visual eID standardisation process is for IETF to accept this work as part of its agenda.

The Visual eID standard has been proposed to be added to the PKIX WG agenda and its acceptance is currently up for open discussion.
The draft standard under discussion is found at: http://tools.ietf.org/html/draft-santesson-pkix-certimage-00

You can influence the decision in the IETF/PKIX and take part in the development discussion by posting your view at the PKIX mailing list. This list is open for anyone who wishes to attend.

To subscribe to the PKIX mailing list send an e-mail to: ietf-pkix-request@imc.org
In the body of the e-mail enter “subscribe”

To support this work being adopted as a PKIX work item, send a mail to the PKIX mailing list: ietf-pkix@imc.org

The following message can be used:
“I support adoption of draft-santesson-pkix-certimage-00 as PKIX work item”

Click here to generate a ready composed e-mail.
]]>stefans@exmsft.comAllSignatures2009-05-01T01:58:31+02:00http://aaa-sec.com/web/blog_files/9b52c4d73c9ee910d7f1267a19dbb711-19.html#unique-entry-id-19http://aaa-sec.com/web/blog_files/9b52c4d73c9ee910d7f1267a19dbb711-19.html#unique-entry-id-19SHA-1 has taken a significant hit.
Recent presentation at the EuroCrypt rump session suggest that the problem to find SHA-1 collision is reduced to 2^52.
This is a significant reduction from the previously known best path with complexity 2^63.

For details, see:
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf

]]>stefans@exmsft.comVisual eIDAllProtocolsAuthentication2009-04-22T12:20:45+02:00http://aaa-sec.com/web/blog_files/a6d30e7afb52749ceeb0851b143945da-18.html#unique-entry-id-18http://aaa-sec.com/web/blog_files/a6d30e7afb52749ceeb0851b143945da-18.html#unique-entry-id-18draft-santesson-pkix-certimage-00

The first draft is a result from an initial design process within the editorial team as well as discussions with partners and members of the CA Browser Forum.
This draft will initiate discussion in the PKIX WG whether to accept this as an adopted work item.
]]>stefans@exmsft.comVisual eIDProtocolsAll2009-04-20T14:14:03+02:00http://aaa-sec.com/web/blog_files/e3c484febea09d2a545d7cbcb88cfe98-17.html#unique-entry-id-17http://aaa-sec.com/web/blog_files/e3c484febea09d2a545d7cbcb88cfe98-17.html#unique-entry-id-17In the discussions concerning a visual image of an identity certificate, the image format of choice is a hot topic.

The issuer of the certificate knows what the image should look like but don’t know the type, size and resolution of the screen where it will be displayed. Therefore, what we need is a scalable image format that can render text and graphical elements.

Choosing one image format has however turned out to be a bit problematic.
]]>stefans@exmsft.comVisual eIDAuthenticationAll2009-04-18T03:32:43+02:00http://aaa-sec.com/web/blog_files/1de9acf490dfb484d8977abf1ee20f8d-16.html#unique-entry-id-16http://aaa-sec.com/web/blog_files/1de9acf490dfb484d8977abf1ee20f8d-16.html#unique-entry-id-16Based on input and discussions around the Visual eID project, I have written a problem statement which will be a living document for the project.
This document attempts to capture on a few pages, the basic problems and scenarios as well as the main reasons why this work is needed.



This living document is available here.

Comments and inputs are highly appreciated.]]>stefans@exmsft.comVisual eIDAuthenticationAll2009-04-03T01:55:03+02:00http://aaa-sec.com/web/blog_files/4bdf319ad4ea32de22417e59c0c0ba2b-14.html#unique-entry-id-14http://aaa-sec.com/web/blog_files/4bdf319ad4ea32de22417e59c0c0ba2b-14.html#unique-entry-id-14The visual eID standards effort has been submitted to the Information Security Solutions Europe conference in Hague, October 2009.
The submitted abstract below provide some basic rationales and orientation:

Abstract:
Since the EU directive on electronic signatures was published in 1999, national certification authorities have issued millions of certificates and qualified certificate. But have you actually seen one?

It is a paradox, considering that development of standards for electronic identification using Public Key Cryptography has been going on for a bit over 20 years by now, that we still have no generic solution or standard for how to display a certificate based identity to a human being.

]]>stefans@exmsft.comVisual eIDAuthenticationAll2009-03-31T08:14:52+02:00http://aaa-sec.com/web/blog_files/cf0251b75a96e4ba680d3e6e307afaae-13.html#unique-entry-id-13http://aaa-sec.com/web/blog_files/cf0251b75a96e4ba680d3e6e307afaae-13.html#unique-entry-id-13During IETF last week in San Francisco we managed to form a really strong editorial team for the new visual eID standard.

This standard will make it possible to bind a visual representation of a certificate to its signature. More information about this project is available on my Visual eID information page.

The editorial team:

Stefan Santesson, 3xA Security is lead editor as initiator and driver of this standards effort.

Russ Housley, Vigil Security. Russ is chairman of the Internet Engineering Task Force and was also co-editor of the original standard RFC 3709 on which this standards effort is based.

Siddharth Bajaj, VeriSign. VeriSign as the world leading provider of public certificates for web servers has been actively promoting a better UI experience for certificate based identification and authorisation. Siddharth has been actively involved with these efforts for almost a decade.

Leonard Rosenthol, Adobe. This standards effort was made possible much thanks to the standardisation of PDF in 2008. Leonard is the standards architect behind the development of an ETSI standard for PDF based Advanced Electronic Signatures (PAdES).

The work to write this standard will start immediately and a first draft will be published soon, no later than end of April.]]>stefans@exmsft.comProtocolsAll2009-03-26T19:26:24+01:00http://aaa-sec.com/web/blog_files/7243b733cc1fb726b2716331e3929274-12.html#unique-entry-id-12http://aaa-sec.com/web/blog_files/7243b733cc1fb726b2716331e3929274-12.html#unique-entry-id-12Today (March 26) at the IETF 74 conference, the TLS working group decided to adopt the certificate cache work with the intention to develop this to a new TLS standard. The decision was made after my presentation of the certcache proposal at the TLS working group.

The basic idea behind this proposal can be found in this blog article.
The first draft (draft-santesson-tls-certcache-00) is available here
]]>stefans@exmsft.comEventsAll2009-03-25T18:32:05+01:00http://aaa-sec.com/web/blog_files/ebc87c0f930c6bc6028c9370850fb828-11.html#unique-entry-id-11http://aaa-sec.com/web/blog_files/ebc87c0f930c6bc6028c9370850fb828-11.html#unique-entry-id-11I made several presentations at this meeting but my main focus was on presenting the Visual eID Project and in particular the standards efforts that is required to form a complete technical solution.

Meeting minutes and presentations are available from http://tools.ietf.org/wg/pkix/minutes]]>stefans@exmsft.comVisual eIDAuthenticationAll2009-03-22T02:32:08+01:00http://aaa-sec.com/web/blog_files/60e80f6bc62fb090b7c2d479d4ff52a1-10.html#unique-entry-id-10http://aaa-sec.com/web/blog_files/60e80f6bc62fb090b7c2d479d4ff52a1-10.html#unique-entry-id-10
The presentation is available here

I’m currently looking for partners and sponsors for this project and for this purpose I have created a project information page at http://aaa-sec.com/visualeid/.

]]>stefans@exmsft.comProtocolsSignaturesAll2009-03-19T12:57:16+01:00http://aaa-sec.com/web/blog_files/d80188ca17bd24848a3a90ea69caa12a-9.html#unique-entry-id-9http://aaa-sec.com/web/blog_files/d80188ca17bd24848a3a90ea69caa12a-9.html#unique-entry-id-9
PAdES, or ETSI standard TS 102 778, is ETSI’s continuation of EU commission funded standardization of Advanced Electronic Signatures in support of the EU Electronic Signature Directive from 1999. PAdES is the third signature standard in the ETSI series covering signatures on PDF documents. Previously published ETSI signature standards have specified signatures on XML documents (XAdES) and signatures using CMS (CAdES) where CMS is the ASN.1 based signature (Cryptographic Message Syntax) developed by IETF as part of the S/MIME standards series for secure e-mail.
]]>stefans@exmsft.comPolicyVisual eIDAll2009-03-17T16:13:15+01:00http://aaa-sec.com/web/blog_files/574eca70f1b4f4af415e3dbdc21e5dcd-8.html#unique-entry-id-8http://aaa-sec.com/web/blog_files/574eca70f1b4f4af415e3dbdc21e5dcd-8.html#unique-entry-id-8The EU commission has released an action plan for harmonisation of electronic signatures and electronic identification among European member states.
You can download the action plan here COM (2008) 798final
A presentation on the action plan held at ETSI ESI in Barcelona, March 17 2009 is here]]>stefans@exmsft.comProtocolsAll2009-03-14T01:08:22+01:00http://aaa-sec.com/web/blog_files/3463eee2a77bdd29d2ad119cf45da090-7.html#unique-entry-id-7http://aaa-sec.com/web/blog_files/3463eee2a77bdd29d2ad119cf45da090-7.html#unique-entry-id-7The IETF standard for time stamps is currently being updated - But are the changes really necessary?]]>stefans@exmsft.comProtocolsAll2009-03-11T13:57:40+01:00http://aaa-sec.com/web/blog_files/f1929c39136750c5271ad3ca132291bf-6.html#unique-entry-id-6http://aaa-sec.com/web/blog_files/f1929c39136750c5271ad3ca132291bf-6.html#unique-entry-id-6A fairly new and unknown protocol, the PKI Resource Query Protocol (PRQP) developed in the IETF PKIX Work Group, is being deployed by the US Federal Bride and OpenCA, reports the editor of the current draft, Massimiliano Pala.


]]>stefans@exmsft.comEventsAll2009-03-10T16:47:55+01:00http://aaa-sec.com/web/blog_files/8e9c0197be2bb194bc0ece2c70c9c7cf-5.html#unique-entry-id-5http://aaa-sec.com/web/blog_files/8e9c0197be2bb194bc0ece2c70c9c7cf-5.html#unique-entry-id-5 and

]]>stefans@exmsft.comProtocolsAll2009-03-10T03:19:50+01:00http://aaa-sec.com/web/blog_files/d08b5a814d8750bd29ddc6d13f4673fb-4.html#unique-entry-id-4http://aaa-sec.com/web/blog_files/d08b5a814d8750bd29ddc6d13f4673fb-4.html#unique-entry-id-4
]]>stefans@exmsft.comProtocolsAuthenticationVisual eIDAll2009-03-09T14:24:13+01:00http://aaa-sec.com/web/blog_files/c08104dc5f387730dbd9b94a9d0b7ec5-3.html#unique-entry-id-3http://aaa-sec.com/web/blog_files/c08104dc5f387730dbd9b94a9d0b7ec5-3.html#unique-entry-id-3 ]]>stefans@exmsft.comProtocolsAll2009-03-09T11:36:22+01:00http://aaa-sec.com/web/blog_files/204130f4e89782f473e5957e56bf39d4-2.html#unique-entry-id-2http://aaa-sec.com/web/blog_files/204130f4e89782f473e5957e56bf39d4-2.html#unique-entry-id-2stefans@exmsft.comAuthenticationAll2009-03-08T15:19:19+01:00http://aaa-sec.com/web/blog_files/68128694758f9208ffca5cd486d87ce0-1.html#unique-entry-id-1http://aaa-sec.com/web/blog_files/68128694758f9208ffca5cd486d87ce0-1.html#unique-entry-id-1
]]>stefans@exmsft.comAll2009-03-04T18:34:39+01:00http://aaa-sec.com/web/blog_files/6ce7b840e6294c17a354ebca5a12795a-0.html#unique-entry-id-0http://aaa-sec.com/web/blog_files/6ce7b840e6294c17a354ebca5a12795a-0.html#unique-entry-id-0
In this Blog I provide information and personal thoughts related to Internet security.
I hope you will find some useful thoughts here.

]]>