home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |
APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



  W O R K S H O P

Certificate Revocation: When Not To Trust

June 26, 2000
By Mike Fratto

Installing and managing a PKI (public key infrastructure) have far-reaching implications in an enterprise. A PKI by itself offers no value until it is paired with applications and services designed to leverage its functionality. Briefly, a PKI needs to issue digital certificates to individuals and organizations, manage the certificates during their life cycles and publish information about the certificates to directories. In this article, we'll explain managing and applying certificate revocation.

Revocation data can be published in a CRL (certificate revocation list), which is a signed list of certificate serial numbers; a CRDP (certificate revocation distribution point), which consists of partitioned CRLs; or an OCSP (online certificate status protocol), a client/server protocol used to query a VA (validation authority) for certificate status.

Some aspects of revocation, however, are the same regardless of the publishing method. In fact, many of the issues surrounding revocation have little to do with technology--they are primarily organizational. And often your choice of revocation method will be determined by the end application. But understanding the revocation methods will help you make the most of what you have.

Certificate Contents

Certificates contain information about the end entities as minimally defined by Internet X.509 Public Key Infrastructure Certificate and CRL Profile in RFC 2459. Other attributes may be entered into a certificate as well. For example, common fields in a certificate might define mailing addresses, spending limits or access-control fields. A certificate can contain virtually any information that is customizable via the CA (certificate authority).

Certificates are given a set life span when issued. For example, a certificate may be valid for 365 days. Then it expires and a new certificate must be issued. There is an indirect relationship, however, between the information contained in the certificate and its useful lifetime. Generally speaking, the more information in the certificate, the shorter its usefulness, because the information may change and a new certificate will have to be reissued before the first expires. Moreover, any information contained in the certificate will be publicly available. Therefore, the rule of thumb is to include as little information as possible.

Certificate revocation is a necessary part of the certificate process. There are many reasons why you might want to revoke a certificate long before it expires. For example, a user might change organizations or lose his or her key pair, or an e-commerce site using SSL (Secure Sockets Layer) may close up shop. In all these cases, the certificate needs to be revoked before it expires so that it cannot be used--either unwittingly or for nefarious purposes.



PAGE: 1 I 2 I 3 I NEXT PAGE
 





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch


Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service