Chapter 4 Key Services and Implementation.pptVIP

4.6 Deploying PKI Services Public Certification Authority Services Value Provided Certificate Classes E-Mail Certificates Server-Side SSL Certificates Client-Side SSL Certificates Code Signing Certificates CA Certificates 4.6 Deploying PKI Services In-House Enterprise Certification Authorities Outsourced Enterprise CAs * * PKI Principle and Technology SOFTWARE COLLEGE NORTHEASTERN UNIVERSITY Xu Jian neuxujian@ Based on “PKI Implementing and Managing E-Security” by Andrew Nash,William Duane,Celia Joseph Derek Brink Chapter 4 Key Services and Implementation Key Life Cycle and Certificate Revocation 1 2 Certification Paths Types of Keys 3 Certificate Distribution 4 Fundamental Requirements of PKI 5 6 Deploying PKI Services PKI Key Services How long will that key last (密钥的生存期) Reasons of Key Compromise Mathematical attacks Errors in poor software implementations Analysis of hardware key storage Lack of diligence by the key owner when protecting access to the key Attacking of social engineering Solutions of Key Compromise Re-keying Periodically 4.1 Key Life Cycle Certificate Revocation Certificate Revocation（证书撤销） To deal with events like key compromise, there must be some way of advising the CA that the user’s private key has been compromised. (1) The CA may be notified by the owner of the key (2) If issuance of certificates is linked to a user management system, deletion of the user record should result in a certificate revocation notification. (3) Certificate Revocation List（证书撤销列表） 4.1 Key Life Cycle Certificate Revocation Certificate Revocation List 4.1 Key Life Cycle Certificate Revocation The CRL is signed by the private key of a trusted revocation service to ensure that the list can’t be modified. The CRL is generally published to a directory that can be referenced during certificate validation. The period for publication of a CRL Determined by the CA CRL发布者 CRL更新日期 CRL下一更新日期 用户证书号 证书撤销日期 证书撤销原因 CRL发布者签名