chapter 3 cetificate managementchapter 3 certificate management.pptVIP

Certificate Cancellation Certificate Expiration Natural “peaceful” end of life Certificate Revocation Untimely death, possibly dangerous causes Key history For owner: eg to read old encrypted msgs Key archive “For public”: audit, old sigs, disputes, etc. Certificate Expiration No action Certificate renewal Same keys, same cert, but new dates Preferably automatic but watch for attributes change! Certificate update New keys, new certificate Certificate Revocation Certificate Revocation Requested by Owner, employer, arbiter, TTP, ???, … Request sent to RA/CA Mechanisms for Revocation checks Certificate Revocation Lists (CRLs) On-line Certificate Status Protocol (OCSP) Will it live? (SCVP) Revocation delay According to Certificate Policy Publication Mechanisms Complete CRLs Authority Revocation Lists (ARLs) CRL distribution points (partition CRLs) Delta CRLs Indirect CRLs Enhanced CRL distribution points Redirect CRLs Certificate Revocation Trees (CRTs) White lists vs Black lists CRL versions Version 1 (from x509 v1) Flaws: Scalability Not extendable Can replace one CRL with another Version 2 (similar to x509 v3) Extensions critical and non-critical Per-CRL and per-entry Format: see the following slide CRL格式 Complete CRLs Advantage: Self-contained, simple, complete Problems: Scalability CRL may grow too big Timeliness Also results from CRL size Conclusion: appropriate for some domains Authority Revocation Lists ARL = CRL for CAs Revokes certificates of CAs Rarely needed/used Decommissioned Compromised CRL Distribution Points Partition CRL into smaller chunks Static partitions: Certificate points to its CRL distribution point Dynamic partitions Enhanced/Redirect CRL DPs Certificate points to a Redirect CRL Redirect CRL directs to the proper CRL partition Delta CRL Incremental change From Complete or Partition CRL CRLnew=BaseCompleteCRLold + DeltaCRL Possibly many DeltaCRLs from same BaseCRL E.g. complete CRL issued once a week, and a new DeltaCRL (containing the