Abstract: A customer can demonstrate control over an element, such as a domain, by receiving a certificate from a certificate authority. After receiving a request for a certificate for a certain domain name, the certificate authority uses a public key cryptography protocol to generate a request for information regarding the domain name. The request for information is submitted to a domain service which hosts that domain name, and the domain service will provide a response to the certificate authority which includes a public key and data for the domain name, with the data encrypted under an associated private key for the domain name. The certificate authority will issue a certificate specifying the domain name and utilizing the received public key, and the certificate is unable to be validated without access to the associated private key.

Abstract: A customer can demonstrate control over an element, such as a domain, by receiving a certificate from a certificate authority. The customer can utilize a device for sending a request relating to a specified domain and receiving a request token to be provided to a domain registry associated with the subject domain. Request token creation can entail generating at least one of a random string, a string generated based on information about a customer, a string generated based on information about the application, a password, or a key. After receiving the request token, the domain registry, in turn, will provide the token to the authority, which will verify that the request token received from the domain registry corresponds to the request token originally provided to the customer's device. If the two tokens match, the authority can act in accordance with the request, such as by issuing the certificate.

Abstract: Suspicious connection requests can be detected by analyzing connection parameters at multiple levels of a network framework. For Internet-based requests, unexpected combinations and/or ordering of Layer 6 (TLS) and Layer 7 (HTTP) parameters, for example, can be indicative of suspicious activity with respect to the connection. The connection parameters for a request can be compared against a set of determined signatures and/or analyzed using a trained probability model to determine a probability that the connection is improper. A probability value can be calculated and compared against at least one probability threshold to determine whether the connection is suspicious enough to cause a specified action to occur. The signatures can be updated through an offline or dynamic online process, and the thresholds can vary among the various embodiments.

Abstract: Techniques are disclosed for mitigating against registering a domain name that is confusingly similar to a pre-existing domain name, possibly for the purpose of fooling users. In embodiments, a domain name is presented for registration. The domain name is rendered as an image, and optical character recognition is performed on the image to extract the rendered text. This extracted text is compared against a list of domain names for which confusingly similar domain names cannot be registered, and when the extracted text matches a domain name in this list of domain names, registration of the domain name is denied.

Abstract: A computer system associated with a certificate authority receives a request to obtain information that can be used to determine a validity status of a digital certificate. In response to the request, the computer system provides the information and updates usage information for the digital certificate to incorporate information obtained from the request. The usage information may be generated based at least in part on previous requests to obtain the information. Based at least in part on the usage information, the computer system will perform at least one operation associated with the digital certificate.

Abstract: A certificate authority receives a request to issue a digital certificate from a customer. In response to the request, the certificate authority determines a network endpoint to be specific to the digital certificate that is to serve information usable to determine whether the digital certificate is valid. The certificate authority issues, to the customer, a digital certificate that specifies a network address for the network endpoint and records information about requests made to the network endpoint to obtain the information usable to determine whether the digital certificate is valid.

Abstract: A certificate authority service receives a request to issue a long-duration digital certificate from an entity for validation purposes between the entity and the service. Upon issuance of the long-duration digital certificate, the entity submits a request to the service for issuance of a short-duration digital certificate that includes a shorter validity period than the long-duration digital certificate. The service may utilize the long-duration digital certificate to validate the entity and, upon validating the entity, issues the short-duration digital certificate to the entity. The entity may subsequently utilize the short-duration digital certificate to enable a user client to authenticate the entity and securely communicate with the entity.

Abstract: A customer can demonstrate control over an element, such as a domain, by receiving a certificate from a certificate authority. The customer can utilize a device for sending a request relating to a specified domain and receiving a request token to be provided to a domain registry associated with the subject domain. Request token creation can entail generating at least one of a random string, a string generated based on information about a customer, a string generated based on information about the application, a password, or a key. After receiving the request token, the domain registry, in turn, will provide the token to the authority, which will verify that the request token received from the domain registry corresponds to the request token originally provided to the customer's device. If the two tokens match, the authority can act in accordance with the request, such as by issuing the certificate.

Abstract: A customer can demonstrate control over an element, such as a domain, by receiving a certificate from a certificate authority. After receiving a request for a certificate for a certain domain name, the certificate authority uses a public key cryptography protocol to generate a request for information regarding the domain name. The request for information is submitted to a domain service which hosts that domain name, and the domain service will provide a response to the certificate authority which includes a public key and data for the domain name, with the data encrypted under an associated private key for the domain name. The certificate authority will issue a certificate specifying the domain name and utilizing the received public key, and the certificate is unable to be validated without access to the associated private key.

Abstract: A certificate authority service receives a request to issue a long-duration digital certificate from an entity for validation purposes between the entity and the service. Upon issuance of the long-duration digital certificate, the entity submits a request to the service for issuance of a short-duration digital certificate that includes a shorter validity period than the long-duration digital certificate. The service may utilize the long-duration digital certificate to validate the entity and, upon validating the entity, issues the short-duration digital certificate to the entity. The entity may subsequently utilize the short-duration digital certificate to enable a user client to authenticate the entity and securely communicate with the entity.

Abstract: Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.

Abstract: A customer can demonstrate control over an element, such as a domain, by receiving a certificate from a certificate authority. A customer can submit a request and receive a request token. The customer can generate a cryptographic hash of the request using the token, which a service provider can compare against an expected hash similarly generated. If the hashes match, an action can be taken such as a certificate issued. A customer can request one or more request tokens up front, whereby the tokens can be used to submit hashes with requests at the appropriate time. In some embodiments a customer can submit a request specifying one or more domains, and a service provider can provide a list of confirmatory email addresses from which the customer can select. The service provider can then send a message to that address that include a link for requesting a certificate.

Abstract: An endpoint may share client information as part of a negotiation of a secure connection with an application such that connections terminated by the endpoint may have client information reported to the application. An endpoint may include termination points of communication, such as a proxy. For example, a client may connect to a load balancer through a protocol, such as transport layer security (TLS). By connecting to the load balancer, client data becomes known to the load balancer. The load balancer may then connect to an application server through TLS. During the negotiation phase of TLS, the load balancer may send client data using an extension to TLS. In some embodiments, the application may use the client data to determine whether or not to accept the client connection, such as client encryption parameters that indicate sufficient encryption strength.

Abstract: Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.

Abstract: A method and apparatus for renewing cryptographic material are disclosed. In the method and apparatus a cryptographic material renewal entity of a computing resource service provider detects that cryptographic material stored by a secure module is to be renewed. Renewing the cryptographic material may include rekeying a private key associated with a certificate. Further, a digital certificate may be renewed, and the renewed certificate may be provided for use by the computing resource. The cryptographic material is used to fulfill requests made by a computing resource provisioned by the computing resource service provider for a customer. The renewed cryptographic material is provided to the secure module, whereby the renewed cryptographic material is used by the secure module to fulfill further requests made by the computing resource.

Abstract: A compute instance of a virtual computing service (VCS) is assigned first and second cryptographically verifiable identities (CVIs) within respective namespaces. A cryptographic key pair associated with the first CVI includes a non-transferable private key managed by a secure key store which does not permit the private key to be copied. The VCS enables the instance to use the private key for asserting the CVIs. In response to a first identity query, the instance indicates the first CVI. In response to a second identity query, the instance indicates the second CVI.

Abstract: A method for provisioning digital certificates in a compute service environment may include authorizing a customer entity for using and/or controlling a network resource in the compute service environment. Upon completing the authorization, a digital certificate may be issued to the customer entity. The digital certificate may be associated with the network resource and may be issued for a limited duration period. The use and/or control of the network resource by the customer entity may be monitored. Reissuance of the digital certificate may be conditioned on whether the customer entity is still using and/or controlling the network resource in the compute service environment. If the customer entity is still using and/or controlling the network resource in the multi-tenant environment, the digital certificate may be automatically reissued for another limited duration period. The automatically reissuing may take place without receiving a certificate reissue request from the customer entity.

Abstract: A computing resource is loaded with the code or data, and an audited record of the loaded code or data is generated. Furthermore, a configuration integrity is generated based on the record of the loaded code or data. The configuration integrity verifier is sent to a requestor for verification of the code or data, the configuration integrity verifier being usable as a trusted verification of the loaded code or data.

Abstract: A method for provisioning digital certificates in a compute service environment may include authorizing a customer entity for using and/or controlling a network resource in the compute service environment. Upon completing the authorization, a digital certificate may be issued to the customer entity. The digital certificate may be associated with the network resource and may be issued for a limited duration period. The use and/or control of the network resource by the customer entity may be monitored. Reissuance of the digital certificate may be conditioned on whether the customer entity is still using and/or controlling the network resource in the compute service environment. If the customer entity is still using and/or controlling the network resource in the multi-tenant environment, the digital certificate may be automatically reissued for another limited duration period. The automatically reissuing may take place without receiving a certificate reissue request from the customer entity.

Abstract: A compute instance of a virtual computing service (VCS) is assigned first and second cryptographically verifiable identities (CVIs) within respective namespaces. A cryptographic key pair associated with the first CVI includes a non-transferable private key managed by a secure key store which does not permit the private key to be copied. The VCS enables the instance to use the private key for asserting the CVIs. In response to a first identity query, the instance indicates the first CVI. In response to a second identity query, the instance indicates the second CVI.