PKI 202 – Architecture Models and CRLs Aman Hardikar
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PKI 202 – Architecture Models and CRLs Aman Hardikar
Agenda
• Architecture Models
• Subordinate
• Cross certified mesh
• Bridge
• Trusted list
• Revocation
• CRL
• OCSP
Overview
Available at www.amanhardikar.com/mindmaps.html
Mindmap:
Topics Today
PKI Trust Models
The fundamental purpose of PKI is to represent
the trust relationship between participating
parties.
The verifier verifies the chain of trust.
Four models exist:
• Subordinate Hierarchy
• Cross Certified Mesh
• Bridge CA
• Trusted List
Subordinate Hierarchy
• Two or more CAs in a hierarchical relationship
• Good for single enterprise applications
• Hard to implement between enterprises
Cross Certified Mesh
• Each internal CA signs the other PKI’s public verification keys
• Good for dynamically changing enterprise PKI applications
• Scalability is a major issue. Need to support n(n-1) cross certifications
Bridge CA
• Only the Root CAs participate in the cross certification
• Solves the issues with the mesh model
Trusted List
• Uses a set of publicly trusted root
certificates
• Ex: Internet Browsers
Traditional CRLs
Relying party checks the certificate against the latest published
CRLs
Disadvantage:
Long CRLs and the number the users directly proportional to the
performance of the network.
Modified CRLs
• Overissued CRLs
• Segmented CRLs
• Delta CRLs
• Sliding window (overissued delta) CRLs
OCSP
Online Certificate Status Protocol
• Client – Server model
• Client requests status of a certificate
• Server sends a signed response back
• Advantages
• Very small request and response
• Disadvantages
• All responses need to be signed increasing the load on the server
• Clients must be online/connected to check the status
SSLAuditor3 Preview
Report generation code needs few fixes
Next Presentations
PKI Applications
SSL
S/MIME
PGP
IKE
SSLAuditor3 demo
PKI Architecture Weakness / Audit
Architecture Weaknesses
Auditing
Mitigation Procedure
Best Practices
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Related Documents
