PKI Blog

Ted Shorter

Ted Shorter
Ted Shorter is the Chief Technology Officer at CSS. Responsible for CSS’ Intellectual Property development efforts, he helps align CSS’ security focus with the changing security landscape.

Recent Posts

SCEP Shortcomings

Posted by Ted Shorter on Mar 27, 2017 4:17:51 PM

Despite the documented shortcomings of the Simple Certificate Enrollment Protocol (SCEP), it is still in widespread use today. This is in large part due to the lack of better options when it comes to certificate enrollment – especially when it comes to more limited devices such as mobile phones, tablets, and constrained Internet-of-Things (IoT) devices such as embedded systems, sensors, automotive components, or medical devices. The simplicity of SCEP makes it an attractive choice for implementers that are bent on meeting tight timelines, but this simplicity can come at a cost.

Read More

Topics: SCEP, Simple Certificate Enrollment Protocol

Blockchain Demystified

Posted by Ted Shorter on Oct 28, 2016 8:56:44 AM

Blockchain Unblocked - What it is and what it is not

Blockchain technology has become a topic of major discussion in the past year or two.  There’s no question that the technology holds significant promise for the future… and it’s not just startups that think so:  IBM, Microsoft, Cisco, SAP, and many other major companies are investing billions of dollars in blockchain research.

Read More

Topics: blockchain help, blockchain security, blockchain, blockchain pki, what is blockchain

GlobalSign Certificate Conundrum – Why Doing PKI Right is Hard

Posted by Ted Shorter on Oct 14, 2016 12:39:36 PM

Yesterday (October 13, 2016), certain segments of the Public Key Infrastructue (PKI) world were spun into a frenzy, when a GlobalSign CA certificate appeared to have been revoked.  Clearly, revoking a CA certificate is a significant event, as all certs that chain through that CA effectively become invalid.

Read More

Topics: Public Key Infrastructure, PKI, GlobalSign, HTTPS, PKI GlobalSign

SAP's "The importance of client certificates in IoT"

Posted by Ted Shorter on Jun 9, 2016 1:56:24 PM

Jay Thoden van Velzen from SAP recently published a very interesting blog describing the use of certificate metadata as a mechanism to enhance IoT authentication.  We wholeheartedly agree with the approach.  CSS’ VerdeTTo solution is based on a similar concept, and allows us to leverage the massive scalability and certificate metadata capabilities of our CMS PKI operations management platform to transform certificates and metadata into device identities, attributes, and authenticators.

Read More

Topics: IoT, Internet of Things (IoT), SAP

Authentication in an Ultra-Connected World: Internet of Things

Posted by Ted Shorter on Oct 1, 2015 6:05:00 AM

As PKI practitioners, we’ve been asked the question for years: “What’s the best way to get a digital certificate on _____?” What gets filled into the blank has expanded dramatically over time, however. Ten years ago, certificates landed primarily on what I’d describe as “traditional” IT infrastructure – servers, desktops, laptops, smart cards, RADIUS servers, or VPN concentrators. But since then, things have gotten much more interesting. Handheld scanners. Surgical robots. VOIP phones. Set-top boxes. Cable modems. Even heart monitors and IV pumps.

Read More

Topics: install certificates onto devices, digital certificates, cert, embedded systems, certificate, Microsoft Security Partner, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, Microsoft Public Key Infrastructure, Cisco Internet of Things, embedded certificates, embedded devices, Microsoft PKI, X.509 digital certificates, Internet of Things, IoT, Blog, Internet of Things (IoT), certificate install, BYOD, PKI Assurance

Superfish: SSL Man in the Middle Attack

Posted by Ted Shorter on Feb 21, 2015 9:23:00 AM

Read More

Topics: SSL vulnerability, PKI, Man in the Middle Attack, Superfish, Lenovo

Five Common “DIY PKI” Mistakes to Avoid

Posted by Ted Shorter on Apr 4, 2014 3:20:46 AM

In the 12+ years that CSS has been helping organizations deploy Public Key Infrastructures, we frequently run into situations where PKI components are already present in the environment. Often it’s an older PKI that someone new to the organization has inherited and wants help evaluating; sometimes it’s a “temporary” deployment that an organization is looking to improve upon. In others, it may simply be a PKI design that a customer wants us to review and provide feedback before deployment. In any case, these “Do-It-Yourself” installations, like any PKI, can create problems, headaches, and occasionally even more serious issues if mistakes are made during the design, deployment, or operation of the PKI. And while it’s often quite easy to deploy PKI components, PKI does tend to be one of those technologies where you have exactly one chance to get it right: at install time. After that, many parameters are more or less set in stone, and a re-deployment becomes the only way to fix a mistake.

With that in mind, this is in no way an all-inclusive list, but here are five of the most common mistakes we see when encountering “DIY” PKI:

Read More

Topics: digital certificate, microsoft ca, IT Security, Microsoft Security Partner, PKI error, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Azure PKI, PKI, PKI as a Service (PKIaaS), CA, PKI deployment, PKI mistakes, Blog, PKI CA, DIY PKI, PKI installation

Apple’s SSL Bug: Another Man-in-the-Middle Attack

Posted by Ted Shorter on Feb 22, 2014 6:38:25 PM

The Problem

Read More

Topics: digital certificate, Apple’s SSL Flaw, Apple flaw, iOS 7, IT Security, Microsoft Security Partner, apple MITM attack, apple security flaw, on device key generation, Industry Trends, SSL attack, Man in the Middle Attack, ODKG, Blog, Mac SSL, Apple SSL, client-side SSL certificates, MITM, apple ssl attack, iOS 7 SSL

SHA-1 Signed Certificates No Longer Trusted?

Posted by Ted Shorter on Dec 10, 2013 4:47:24 AM

By now, you may have already heard that Microsoft will start deprecating trust in certificates with SHA-1 signatures in 2016. In our view, this is a prudent move by Microsoft. We've long known that SHA-1 was weakening, and showing signs that a practical attack similar to the 2008 demonstration against MD5 could appear in the next few years.

Read More

Topics: expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, RSA Keys, PKIaaS, Azure PKI, PKI, Secure Hash Algorithm, PKI as a Service (PKIaaS), PKI as a Service, SHA1, SHA2, MD5 hash, Blog, SHA-1, SHA-2

1024-bit RSAs Days are Numbered

Posted by Ted Shorter on Jul 9, 2013 6:49:48 AM

In December of 2011, the CA/Browser Forum, comprised of representatives from the major Certification Authorities such as Symantec, Comodo, GoDaddy, and DigiCert, as well as browser vendors such as Microsoft, Apple, Mozilla, and Opera, published a document called "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates.” This document outlines an agreed-upon set of minimum standards for SSL/TLS cert vendors.

One of these standards essentially calls of the elimination of certificates with 1024-bit RSA public keys by the end of 2013: any RSA-keyed certificate, even end-entity (“subscriber”) certificates, that expire after Dec. 31, 2013, must have a key of at least 2048-bits. This is big news in some circles; a number of public cert vendors have had to change their procedures, and, more significantly, start migrating their customer bases to 2048-bit certs. Many started this process quite a while ago.

Read More

Topics: digital certificate, RSA cert length, apple, Symantec, Public Key Infrastructure, Comodo, certificate 2013, RSA certificate length, Industry Trends, DigiCert, SSL certificate, 1024-bit RSA, PKI, TLS cert, Microsoft PKI, digital certificate length, Blog, 1024 certificate length, cert length 2013, GoDaddy, Mozilla

Posts by Topic

see all

Want to Learn more about CSS?