|W O R K S H O P|
Certificate Revocation: When Not To Trust
June 26, 2000
By Mike Fratto
Installing and managing a PKI (public key infrastructure) have far-reaching implications in an enterprise. A PKI by itself offers no value until it is paired with applications and services designed to leverage its functionality. Briefly, a PKI needs to issue digital certificates to individuals and organizations, manage the certificates during their life cycles and publish information about the certificates to directories. In this article, we'll explain managing and applying certificate revocation. Revocation data can be published in a CRL (certificate revocation list), which is a signed list of certificate serial numbers; a CRDP (certificate revocation distribution point), which consists of partitioned CRLs; or an OCSP (online certificate status protocol), a client/server protocol used to query a VA (validation authority) for certificate status.
Some aspects of revocation, however, are the same regardless of the publishing method. In fact, many of the issues surrounding revocation have little to do with technology--they are primarily organizational. And often your choice of revocation method will be determined by the end application. But understanding the revocation methods will help you make the most of what you have.
Certificates contain information about the end entities as minimally defined by Internet X.509 Public Key Infrastructure Certificate and CRL Profile in RFC 2459. Other attributes may be entered into a certificate as well. For example, common fields in a certificate might define mailing addresses, spending limits or access-control fields. A certificate can contain virtually any information that is customizable via the CA (certificate authority).
Certificates are given a set life span when issued. For example, a certificate may be valid for 365 days. Then it expires and a new certificate must be issued. There is an indirect relationship, however, between the information contained in the certificate and its useful lifetime. Generally speaking, the more information in the certificate, the shorter its usefulness, because the information may change and a new certificate will have to be reissued before the first expires. Moreover, any information contained in the certificate will be publicly available. Therefore, the rule of thumb is to include as little information as possible.
Certificate revocation is a necessary part of the certificate process. There are many reasons why you might want to revoke a certificate long before it expires. For example, a user might change organizations or lose his or her key pair, or an e-commerce site using SSL (Secure Sockets Layer) may close up shop. In all these cases, the certificate needs to be revoked before it expires so that it cannot be used--either unwittingly or for nefarious purposes.
|PAGE: 1 I 2 I 3 I NEXT PAGE|