|Public key infrastructure (PKI) standards and trust
|Understand the concept of a PKI and how to revoke a certificate.
Public key Infrastructure Standards and (PKI)
Public Key Infrastructure (PKI) is a foundational framework in the realm of cybersecurity, essential for establishing and maintaining a secure, digital communication environment. This infrastructure is predicated on the use of cryptographic keys, encompassing both public and private keys, which together facilitate the secure exchange of information over networks, including the internet. PKI is instrumental in implementing various security services, such as digital signatures, secure email, and the encryption of data.
- The Concept Behind PKI Standards and Trust:
The PKI model is built around a hierarchical trust structure, typically anchored by a trusted entity known as the Certificate Authority (CA). The CA's role is multifaceted; it involves the issuance, management, and revocation of digital certificates. A digital certificate serves as a digital passport or credential, affirming the identity of the certificate holder and their association with the public key contained within the certificate. This setup ensures that when a public key is used to encrypt data or validate a digital signature, the identity of the keyholder is verifiable and trusted.
Trust within PKI is established through the process of certificate issuance. When a CA issues a certificate, it is essentially asserting the identity of the entity holding the corresponding private key. This assertion is made possible through rigorous identity verification processes. Trust in a PKI system is transitive; end users trust the CA, and because of this trust, they also trust the certificates issued by the CA. This hierarchical model can extend multiple levels, with Root CAs at the apex, Intermediate CAs forming the middle layer, and end-entity certificates at the bottom.
- Revoking a Certificate: Despite the robustness of PKI, there are circumstances under which a digital certificate may need to be revoked. Reasons for revocation include the exposure of the private key to unauthorized parties, the compromise of the CA, or the certificate holder no longer being authorized to use the certificate (e.g., due to a change in role or employment status).
Revocation is a critical aspect of PKI management, ensuring the integrity and trustworthiness of the system. The primary mechanism for revocation is the Certificate Revocation List (CRL). A CRL is a list, published by the CA, of certificates that have been revoked before their scheduled expiration dates. The list is periodically updated and must be checked by parties relying on certificates to ensure the continued validity of the certificates they accept.
An alternative to CRLs, offering more timely information, is the Online Certificate Status Protocol (OCSP). OCSP allows clients to query the CA or a designated OCSP responder with the serial number of a certificate, to which the responder returns the certificate's status — valid, revoked, or unknown. OCSP provides a more scalable and efficient means of checking certificate validity, especially critical in environments requiring real-time validation.
In conclusion, PKI is an intricate yet essential framework that underpins secure digital communication and transactions. The trust model, facilitated through a hierarchy of CAs and digital certificates, ensures that entities can communicate securely and verify each other's identities. Certificate revocation mechanisms, such as CRLs and OCSP, are pivotal in maintaining the integrity and trustworthiness of the system, allowing for the timely invalidation of compromised or unauthorized certificates.
Public key infrastructure (PKI) is the term used to describe ways to create, store, and manage digital certificates. Many organizations are trying to create industry-standard, vendor-neutral ways to enable e-commerce. Organizations include the Open Group (TOG), the Internet Engineering Task Force (IETF), and the World Wide Web Consortium (W3C). Standard PKI elements include:
- Digital certificates (keys).
- A CA that verifies digital certificates.
- A registration authority (RA) that vouches for the actual CA. Another name for an RA is a verification authority. A verifying authority creates a CA.
- A secure, central storage area for the certificates. Generally, this is an ITU X.500-compliant directory. Another name for such a storage placeis a directory.
- A system that securely transports certificates. The Lightweight Directory Access Protocol (LDAP) has become a popular way to access X.500-compliant databases.
The primary purpose of these standards is to establish trust between different organizations that need to work with each other. These standards have become essential in the face of rapid acceptance of client-server technology.
Revocation of a Certificate
Whenever a person or site loses trust in a certificate, the certificate can be revoked. CAs maintain lists of revoked certificates. Most protocols supporting certificates allow for real-time certificate verification. This process involves sending the certificate information to the CA for verification. During this step, the CA checks the certificate against the revocation
list. Including this step takes a few seconds per transaction, which can be an unacceptable delay on busy e-commerce servers.
Reasons for revocation include:
- Private key compromise
- CA compromise
- Change of business practices and location
All these problems are serious breaches of trust and invalidate the certificate.
Once a key is revoked, it is effectively "dead" and cannot be reused. You will have to create another key and get it certified.
In the next lesson, you will learn about different types of certificates.
Public Key Infrastructure-Exercise
PKI Standards - Exercise
Click the Exercise link below to complete an On Your Own exercise to analyze a certificate authority.
PKI Standards - Exercise
Creates certificate authorities.
What happens when you lose trust in a certificate.