D3-ACA

Detect
Active Certificate Analysis

Definition

Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.

How it works

Analysis of server certificates using active methods to detect if certificates have been misconfigured or spoofed by using elements of the certificate, certificate authorities and signatures.

Certificate validity analysis

This can be accomplished by verifying the digital signature on certificate.

Certificate path analysis

The client's browser can perform path verification to ensure that the server's certificate contains a valid trust anchor.

Certificate configuration analysis

Some browsers can be configured to implement the key-usage extensions contained certificates. This can help to prevent a certificate from being misused.

Certificate revocation status analysis

Using either Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) to determine the revocation status. OCSP Stapling, binding the status with the certificate, helps to mitigate potential delay in status verifications.

Considerations

Management of the PKI across the enterprise typically requires automation to maintain scalability and flexibility

If the certificate authority, issuing the certificate, is compromised then all of the certificates issued by the CA are suspect

There may be delays associated with updates to certificates

Revoked certificates give the appearance of valid certificates until they are published to a trusted revocation service (OCSP or CRL)

The revocation service (OCSP or CRL) may be down during our connection and a browser will need to make a decision will need to be made about trusting the connection

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
Active Certificate Analysis
Certificate File

References

Reference - Securing Web Transactions