Public Key Revocation continue…
Public Key Revocation continue…
Public Key Revocation
It is sometimes necessary to revoke a person’s (or company’s) certificate before the expiration date. Usually, revocation occurs when:
- A company changes ISPs, if its certificate was based on its ISP’s Domain Name Server (DNS) name or its IP address, rather than the company’s own DNS name, or if the ISP had access to the private key.
- A company moves to a new physical address, so that the address information in the certificate becomes incorrect.
- The contact listed on a certificate has left the company.
- A private key has been compromised or is lost.
When a certificate revocation request is sent to a CA, the CA must be able to authenticate the request with the certificate owner; otherwise, anyone could revoke your certificate. Certificate owners are not the only ones who can revoke a certificate. A PKI administrator can also revoke a certificate, without authenticating the request with the certificate owner. A good example of this is in a corporate PKI, where certificates should be revoked immediately upon termination of an employee.
Once the CA has authenticated the revocation request, the certificate is revoked and notification is sent out. A PKI user needs to check the status of a company’s or person’s certificate to know when it has been revoked.
Status Checking
There are two methods of checking the revocation status of certificates: CRLs and the OCSP.
CRL
The X.509 standard requires that CAs publish CRLs.The list in its simplest form is a published form listing the revocation status of certificates that the CA manages. There are several forms that the revocation list may take. To recap simple CRLs and the delta CRLs:
- A simple CRL is a container that holds the list of revoked certificates.
- A simple CRL also contains the name of the CA, the time and date the CRL was published, and when the next CRL will be published.
- A simple CRL is a single file that continues to grow over time.
- The fact that only information about the certificate is included and not the certificate itself, limits the size of a simple CRL container.
- Delta CRLs were created to handle issues that simple CRLs cannot—size and distribution.
- Although a simple CRL only contains certain information about the revoked certificate, it can still become a large file.
- In a Delta CRL configuration, a base CRL is sent out to all end parties to initialize their copies of the CRL. After the base CRL is sent out, updates known as deltas are sent out on a periodic basis to inform the end parties of changes.
OCSP
OCSP was defined to help PKI certificate revocation get past the limitations of using CRL schemes. To recap some of the keys to OCSP:
- OCSP returns information relating only to certain certificates that have been revoked.
- With OCSP, there is no longer a need for the large files used in CRL to be transmitted.
- OCSP can only return information on a single certificate. OCSP does not attempt to validate the certificate for the CA that has issued the certificate.
Public key Suspension
Sometimes it becomes necessary to suspend- a user’s certificate. A suspension usually happens because a key is not going to be used for a period of time. For example, if a company previously used a shopping cart tool for purchasing merchandise, but became unhappy with its current online store and is rebuilding it, they could have their CA suspend their certificate and keys. The reason this is done is prevent the unauthorized use of keys during an unused period. Eventually, while the certificate is in a suspended mode, it must either be revoked or reactivated, or it will simply expire.
Status Checking
The same status checking methods used for revocation apply to the suspension of certificates. CAs use CRLs and OCSP to allow for the status of suspended certificates to be reviewed. The difference is that the reason for revocation is listed as Certification Hold instead of the typical revocation reasons (such as change in owner information, compromised keys, and so forth)
Possibly related posts: (automatically generated)
Public Key Revocation continue…
- Electronic Commerce Payment Concern
- Web Technology & Ecommerce Online Solutions
- Public Key Renewal
- Ecommerce revolution, Online Marketing
- Public-key Certificates and Certificate Authorities
- Coded Data Cryptographic Systems Software
- Installing Active Directory on a Windows Server 2003 Computer
- PKI (public key infrastructure) Management and Certificate Lifecycle
- SSL Server (Secure Sockets Layer) continue...
- Sender Authentication Systems
- September 21st
For farther instructions on reaching the Personal Information that GNC may have about you, please see the “Contacting Squat; section of this Privacy Statement. … Domain Name
The irritable feeling one gets when they log onto their site and gets that dreaded white page is a very powerful deterrent to NOT use a particular host s service. … Free Domain
The ERDRP applies to challenge to (I) registered domain names and SLD email address registrations within .Name because of a Registrant does not meet the Eligibility Requirements, and (ii) to Defensive Registrations (as defined by the Registry Operator) within .Name. … Registry Operator
More than 200 tons of rock, gravel and sand need to be blasted, crushed and processed to yield just one carat of gem quality diamonds. … Carat Diamond Studs
In other words, users can omit ” www” and just type your domain name and they will get to your site. … Business Owners