We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

How (not) to make a mockery of trust

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
1
 Cite
 Share
 Download Purchase
Logo of FOSDEM VZWFOSDEM VZW
 Valvekens, Matthias

Formal Metadata

Title
How (not) to make a mockery of trust
Subtitle
Testing client software for public-key infrastructure
Title of Series
Number of Parts
287
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The ever-continuing push for digitalisation has increased our reliance on trust services of various kinds, filling various needs relating to document signing, code signing, authorization tokens, and so forth. Many of these trust services rely on public-key infrastructure (PKI) and X.509 certificates. The sensitive nature of these tools makes them difficult to use in a testing environment. On the one hand, exposing access to production keys in your CI is obviously a terrible idea. But on the other hand, setting up and maintaining a fully functional "mock" PKI environment is also pretty tricky. What can you do about that? Using PKI tools in test workflows involves many challenges. Here are a few examples: Even a (supposedly) basic task like validating an X.509 certificate involves quite a bit of complexity. Apart from "local" validation logic, you might also have to check the revocation status of your certificate, which could entail talking to an OCSP responder service or looking up a CRL. If you're using secure timestamps (RFC 3161) in your code, your tests might also require access to a time stamping service. Maybe you're using a remote signing service vendor that doesn't offer any sort of "sandbox" for testing purposes. In all of these scenarios, both test data generation and mock service integration can be quite cumbersome. Both in my own time and on the job, I write a lot of code that relates to digital signing in various ways, and this is a kind of problem that I run into all the time. After trying out a variety of methods, I grew dissatisfied with the "traditional" options, and rolled my own PKI testing framework: Certomancer. Certomancer helps with both test data generation, performs trust service mocking, comes with a plugin API, and most importantly, it's FOSS (MIT licence). In my talk, I'll take you through some of the "how"s and "why"s of Certomancer's feature set, and talk about some of the mileage that I've gotten out of it.
00:00
Diagram
00:38
Public-key infrastructureProbability density functionFrustrationStatistical hypothesis testingDependent and independent variablesJSONXMLUML
00:56
Probability density functionDigitizingOpen sourceConnected spaceProfil (magazine)Process (computing)Probability density functionMultiplication signBitWebsiteSign (mathematics)Slide ruleComputer animation
01:34
Statistical hypothesis testingKey (cryptography)Computer wormStandard deviationIdentity managementDuality (mathematics)MathematicsLibrary (computing)Data integrityPublic-key infrastructureControl flowChainDomain nameTransport Layer SecurityPlastikkarteMereologyMilitary operationInternet service providerWeb serviceInternetworkingInformationElectronic mailing listDigital signalSoftwareMultiplication signStatistical hypothesis testingSinc functionPublic-key cryptographyMathematicsProcess (computing)AuthorizationFile formatProcedural programmingElectronic signatureStatement (computer science)Keyboard shortcutType theoryService (economics)DigitizingBasis <Mathematik>Statistical hypothesis testingOrder (biology)View (database)BitCASE <Informatik>Key (cryptography)Lebesgue integrationNumberGame controllerLibrary (computing)Mechanism designMereologySign (mathematics)Validity (statistics)Public key certificateLink (knot theory)Point (geometry)Degree (graph theory)Exception handlingSoftware engineeringStandard deviationRoutingComputer wormSet (mathematics)AlgorithmComplex (psychology)ChainCartesian coordinate systemPublic-key infrastructureDomain nameNatural numberIntegrated development environmentDependent and independent variablesElectronic mailing listWeb serviceInternetworkingComputer animation
08:03
Uniform resource locatorWeb servicePersonal digital assistantExtension (kinesiology)Key (cryptography)Configuration spaceScripting languagePoint (geometry)Multiplication signSeries (mathematics)Limit (category theory)FrustrationPublic key certificateQuicksortScripting languageCartesian coordinate systemFunctional (mathematics)Statistical hypothesis testingLink (knot theory)Process (computing)CASE <Informatik>Statistical hypothesis testingExtension (kinesiology)Service (economics)Category of beingImplementationOnline service providerRemote procedure callMachine codeSign (mathematics)Integrated development environmentElectric generatorSlide ruleWeb pageComputer animation
10:24
Primality testRSA (algorithm)Total S.A.Statistical hypothesis testingDefault (computer science)Service (economics)BootingSelf-organizationKey (cryptography)WritingRootSample (statistics)Validity (statistics)Extension (kinesiology)Software repositoryWeb serviceProgrammable read-only memoryPublic-key infrastructureArchitectureCommunications protocolPrice indexFiber bundleDemo (music)Computer networkProduct (business)Statistical hypothesis testingProof theoryImplementationStandard deviationDisintegrationINTEGRALMereologyStatistical hypothesis testingPublic key certificateKey (cryptography)Service (economics)Statistical hypothesis testingValidity (statistics)Electronic signatureQuicksortServer (computing)Point cloudWeb pageProjective planeLine (geometry)Web browserConfiguration spaceProof theoryWeb 2.0VirtualizationInstance (computer science)Primitive (album)Point (geometry)Repository (publishing)Distribution (mathematics)Integrated development environmentDemo (music)Multiplication signAlgorithmCurveSlide rulePublic-key cryptographyBitImplementationPhysical systemoutputExtension (kinesiology)Product (business)Computer animationXML
12:57
Computer animation
Transcript: English(auto-generated)