Chapter 25: Public Key Infrastructure
Public Key Infrastructure (PKI)
Components
RA
CA
Third-party trust model
Certificate Authority
Intermediate CA
Revocation
CRL
OCSP: Online certificate status protocol
Suspension
CSR
https://www.globalsign.com/en/blog/what-is-a-certificate-signing-request-csr
X.509: the Certificate Standard
Parts of a certificate
Version Number (usually 1)
Subject (the certificate owner)
Public Key (the whole point)
Issuer (the CA, like Verisign)
Serial Number
Validity: To and From Dates
Certificate Usage (signing, email, encryption)
Signature Algorithms (of the hashing and digital signature algos)
Extension (custom data)
Public Key
Private Key
OID
Online and Offline CAs
Stapling
https://en.wikipedia.org/wiki/OCSP_stapling
This refers to “stapling” two documents together, like both a website’s certificate and a signed current OCSP report verifying that certificate.
Pinning (obsolete)
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
This refers to making a fixed reference of one certificate to one entity (website) – even if that entity (website) moves from one physical host to another.
Trust Models
Heirarchical
Peer to peer
Hybrid
Key Escrow
See p. 474 of our text. Note that you might (should) have different keys (certificates) for different purposes (eg. signing vs. encrypting). Encryption keys SHOULD be held in escrow (in enterprise situations; Signing keys should NEVER be held in escrow. (No one has any legal reason to use my keys to “sign” an object – after I am dead.)
Certificate Chaining
https://docs.microsoft.com/en-us/windows/win32/seccrypto/certificate-chains
Types of Certs
End-entity certs
CA certs
Cross-certification certs
Policy certs
Wildcard certs
Code-signing certs
Self-signed certs
Machine / Computer
User
Root
Domain validation
Extended validation
Certificate Formats
.der
.pem
.cer / .crt
.key
.pfx
.p12
.p7b
***
Certificate Issues
Broken Chain of Trust