Public key infrastructure (PKI) standards and trust
Understand the concept of a PKI and how to revoke a certificate.
Public key Infrastructure - Standards | Trust
Public key infrastructure (PKI) standards
Public key infrastructure (PKI) is the term used to describe ways to create, store, and
manage digital certificates. Many organizations are trying to create industry-standard, vendor-neutral ways to enable e-commerce. Organizations
include the Open Group (TOG), the Internet Engineering Task Force (IETF), and the World Wide Web Consortium (W3C). Standard PKI elements include:
Digital certificates (keys).
A CA that verifies digital certificates.
A registration authority (RA) that vouches for the actual CA. Another name for an RA is a verification authority. A verifying authority creates a CA.
A secure, central storage area for the certificates. Generally, this is an ITU X.500-compliant directory. Another name for such a storage placeis a directory.
A system that securely transports certificates. The Lightweight Directory Access Protocol (LDAP) has become a popular way to access X.500-compliant databases.
The primary purpose of these standards is to establish trust between different organizations that need to work with each other. These standards have become essential in the face of rapid acceptance of client-server technology.
Whenever a person or site loses trust in a certificate, the certificate can be revoked. CAs maintain lists of revoked certificates. Most protocols supporting certificates allow for real-time certificate verification.
This process involves sending the certificate information to the CA for verification. During this step, the CA checks the certificate against the revocation list.
Including this step takes a few seconds per transaction, which can be an unacceptable delay on busy e-commerce servers. Reasons for revocation include:
Private key compromise
Change of business practices and location
All these problems are serious breaches of trust and invalidate the certificate.
Once a key is revoked, it is effectively "dead" and cannot be reused. You will have to create another key and get it certified.
In the next lesson, you will learn about different types of certificates.