In recent years several CAs were compromised by attackers in order to
get trusted certificates for malicious activities. In 2011 the Dutch
CA Diginotar was hacked and all certificates were
-revoked~\ref{diginotar-hack}. Recently Google found certificates
+revoked~\cite{diginotar-hack}. Recently Google found certificates
issued to them, which were not used by the
-company~\ref{googlecahack}. The concept of PKIs heavily depends on the
+company~\cite{googlecahack}. The concept of PKIs heavily depends on the
security of CAs. If they get compromised the whole PKI system will
fail.
Therefore several security enhancements were introduced by different
-organisations and vendors~\ref{tschofenig-webpki}. Currently two
-methods are used, DANE~\ref{rfc6698} and Certificate
-Pinning~\ref{draft-ietf-websec-key-pinning}.
+organisations and vendors~\cite{tschofenig-webpki}. Currently two
+methods are used, DANE~\cite{rfc6698} and Certificate
+Pinning~\cite{draft-ietf-websec-key-pinning}.
% \subsubsection{DANE}
% \label{sec:dane}
% \footnote{\url{http://www.verisign.com.au/repository/tutorial/cryptography/intro1.shtml}}
% .
-\todo{ts: Background and Configuration (EMET) of Certificate Pinning,
- TLSA integration, When to use self-signed certificates, how to get
- certificates from public CA authorities (CACert, StartSSL),
- Best-practices how to create a CA and how to generate private
- keys/CSRs, Discussion about OCSP and CRLs. TD: Useful Firefox
- plugins: CipherFox, Conspiracy, Perspectives.}
+% \todo{ts: Background and Configuration (EMET) of Certificate Pinning,
+% TLSA integration, When to use self-signed certificates, how to get
+% certificates from public CA authorities (CACert, StartSSL),
+% Best-practices how to create a CA and how to generate private
+% keys/CSRs, Discussion about OCSP and CRLs. TD: Useful Firefox
+% plugins: CipherFox, Conspiracy, Perspectives.}
% ``Certificate Policy''\cite{Wikipedia:Certificate_Policy} (CA)
month = Aug,
}
-@misc{rfc6698,
- author="P. Hoffman and J. Schlyter",
- title="{The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA}",
- series="Request for Comments",
- number="6698",
- howpublished="RFC 6698 (Proposed Standard)",
- publisher="IETF",
- organization="Internet Engineering Task Force",
- year=2012,
- month=aug,
- url="http://www.ietf.org/rfc/rfc6698.txt",
-}
-
@misc{draft-ietf-websec-key-pinning,
author = {{C. Evans and C. Palmer}},
title = {{Public Key Pinning Extension for HTTP}},