Public Key Infrastructure
Refers to a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public key encryption
PKI components
Certification Authority (CA)
Responsible for issuing certificates
Registration Authority (RA)
Responsible for verifying the actual identity of the individual requesting a certificate
The type of validation depends on the type of certificate being requested
Certification Revocation List (CRL)
A signed document that contains information about which certificates have been revoked
It contains the serial number of the revoked certificate, the time of revocation and the reason for revocation, for each certificate in the list
the CRL is signed by the CA and then released at a CRL Distribution Point (CDP)
Online Certificate Status Protocol (OCSP)
Certification Repository and Revocation Information
Holds the information about which certificates are still valid
Revocation
After a CA certifies a key, there may be circumstances in which we may want to invalidate a certificate
etc.
Public Key Infrastructure (PKI) models and structures
Simple Certification
Having one CA that gives out certificates
Multi-Layer Certification
Having a Root CA that delegates trust to other CAs, who then issue certificates for others
Cross Certification
Trusting one CA automatically leads to trusting the other
Chain of Trust Certification Structure
The entity receives a certificate, then goes up the chain all the way up to the Root CA to check who issued that certificate
Multiple Cross Certification
Multiple CAs can mutually cross-certify each other
Bridge Cross Certification
One CA acts as a bridge that certifies all the other CAs, and all of the other CAs certify that one bridge
Public Key Infrastructure
Refers to a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public key encryption
PKI components
Certification Authority (CA)
Responsible for issuing certificates
Registration Authority (RA)
Responsible for verifying the actual identity of the individual requesting a certificate
The type of validation depends on the type of certificate being requested
Certification Revocation List (CRL)
A signed document that contains information about which certificates have been revoked
It contains the serial number of the revoked certificate, the time of revocation and the reason for revocation, for each certificate in the list
the CRL is signed by the CA and then released at a CRL Distribution Point (CDP)
Online Certificate Status Protocol (OCSP)
Certification Repository and Revocation Information
Holds the information about which certificates are still valid
Revocation
After a CA certifies a key, there may be circumstances in which we may want to invalidate a certificate
etc.
Public Key Infrastructure (PKI) models and structures
Simple Certification
Having one CA that gives out certificates
Multi-Layer Certification
Having a Root CA that delegates trust to other CAs, who then issue certificates for others
Cross Certification
Trusting one CA automatically leads to trusting the other
Chain of Trust Certification Structure
The entity receives a certificate, then goes up the chain all the way up to the Root CA to check who issued that certificate
Multiple Cross Certification
Multiple CAs can mutually cross-certify each other
Bridge Cross Certification
One CA acts as a bridge that certifies all the other CAs, and all of the other CAs certify that one bridge