Posted by arlene

Certificates and keys, just like drivers’ licenses and credit cards, have a life cycle. Different factors play into the lifecycle of a particular key or certificate. Many things can happen to affect the usable life span of a key—they may become compromised or their certificates may be revoked or destroyed. Certificates also have an expiration date. Just like a license or credit card, a certificate is considered valid for a certain period of time. Once the end of the usable time for the certificate has expired, the certificate must be renewed or replaced.

Mechanisms that play a part in the life cycle of a certificate are:

• Centralized vs. decentralized key management
• Storage of private keys
• Key escrow
• Certificate expiration
• Certificate revocation
• Certificate suspension
• Key recovery
• Certificate renewal
• Key destruction
• Key usage
• Multiple key pairs

Public Key Centralized vs. Decentralized

Different PKI implementations use different types of key management. A business enterprise often uses centralized key management, with all of the private keys generated and held by a central system. Older implementations of PGP used decentralized key management, since the keys are contained in a PGP users key ring and no one entity is superior over another. Hierarchical CA models generally use decentralized key management, where the keys are generated and managed by the intended owner or the private key.

Whether to use centralized or decentralized key management depends on the size of the organization. With decentralized key management, the private key can be assumed to belong only to its intended owner; with centralized key management, there is a possibility for abuse of other users’ private keys by the administrators of the central key store. However, with decentralized key management, key recovery is left up to the individual user to consider, and this can result in the inadvertent loss (destruction) of keys, usually at the time when they are needed most.

Whether using centralized management or decentralized management for keys, a secure method of storing those keys must be designed.

Public Key Storage

Imagine what would happen if you left a wallet on a counter in a department store and someone took it.You would have to call your credit card companies to close out their accounts, they would have to go to the DMV to get a duplicate license, they would have to change their bank account numbers, and so forth.

Now, imagine what would happen if a company put all of their private keys into a publicly accessible File Transfer Protocol (FTP) site. Basically, once hackers discovered that they could obtain the private keys, they could very easily listen to communications between the company and clients and decrypt and encrypt messages being passed.

Taking this a step further, imagine what could happen if a root CA key was not stored in a secure place; all of the keys that used the CA as their root certificate would have to be invalidated and regenerated.

So, how to store private keys in a manner that guarantees their security? Not storing them in a publicly accessible FTP folder is just a start. There are also several options for key storage, most falling under either the software storage category or the hardware storage category

Possibly related posts: (automatically generated)
PKI (public key infrastructure) Management and Certificate Lifecycle

• Web Technology & Ecommerce Online Solutions
• Public-key Certificates and Certificate Authorities
• Ecommerce revolution, Online Marketing
• Electronic Commerce Payment Concern
• Public Key Destruction and Distribution
• Count on Mobile Software
• Is the Future of Ecommerce Mobile?
• Ten Essential E-merchandising Techniques
• A New Kind of "Shelf"
• Standardization of electronic commerce