• Choose a category
• All
• Classic-Fiction

The receiving organization can use this policy to determine whether the certificate has come from a legitimate source. Think about it this way: A PKI certificate can be generated any number of ways using any number of servers. The policy indicates which certificates will be accepted in a given application.

Certificate Practice Statements

A Certificate Practice Statement (CPS) is a detailed statement the CA uses to issue certificates and implement its policies of the CA.

The CA provides the CPS to users of its services. These statements should discuss how certificates are issued, what measures are taken to protect certificates, and the rules CA users must follow in order to maintain their certificate eligibility. The policies should be readily available to CA users.

If a CA is unwilling to provide this information to a user, the CA itself may be untrustworthy, and the trustworthiness of that CA’s users should be questioned.

Remember that a CPS is a detailed document used to enforce policy at the CA; a certificate policy doesn’t pertain to the CA but to the certificate itself.

Understanding Certificate Revocation

Certificate revocation is the process of revoking a certificate before it expires. A certificate may need to be revoked because it was stolen, an employee moved to a new company, or someone has had their access revoked. A certificate revocation is handled either through a Certificate Revocation List (CRL) or by using the Online Certificate Status Protocol (OCSP). A repository is simply a database or database server where the certificates are stored.

The process of revoking a certificate begins when the CA is notified that a particular certificate needs to be revoked. This must be done whenever the private key becomes known. The owner of a certificate can request it be revoked at any time, or the request can be made by the administrator.

The CA marks the certificate as revoked. This information is published in the CRL and becomes available using the OCSP. The revocation process is usually very quick; time is based on the publication interval for the CRL. Disseminating the revocation information to users may take longer. Once the certificate has been revoked, it can never be used—or trusted—again.

The CA publishes the CRL on a regular basis, usually either hourly or daily. The CA sends or publishes this list to organizations that have chosen to receive it; the publishing process occurs automatically in the case of PKI. The time between when the CRL is issued and when it reaches users may be too long for some applications. This time gap is referred to as latency. OCSP solves the latency problem: If the recipient or relying party uses OCSP for verification, the answer is available immediately. Currently, this process is under evaluation and may be replaced at some time in the future.

When a key is compromised, a revocation request should be made to the CA immediately. It may take a day or longer for the CRL to be disseminated to everyone using that CA.

Implementing Trust Models

For PKI to work, the capabilities of CAs must be readily available to users. The model that has been shown to this point is the simple trust model. However, the simple trust model may not work as PKI implementations get bigger. Conceptually, every computer user in the world would have a certificate. However, accomplishing this would be extremely complex and would create enormous scaling or growth issues.

Four main types of trust models are used with PKI:

■ Hierarchical

■ Bridge

■ Mesh

■ Hybrid

PKI was designed to allow all of these trust models to be created. They can be fairly granular from a control perspective. Granularity refers to the ability to manage individual resources in the CA network.

In the following sections, I’ll examine each of these models. I’ll detail how each model works and discuss its advantages and disadvantages.

Hierarchical Trust Models

In a hierarchical trust model—also known as a tree—a root CA at the top provides