Professional Documents
Culture Documents
THE CERTIFICATE
TRIANGLE X.509 CERTIFICATE
user VERSION
SERIAL NUMBER
X.509 X.509
attribute identity SIGNATURE ALGORITHM
certificate certificate ISSUER
VALIDITY
SUBJECT
attribute public-key
SPKI SUBJECT PUBLIC KEY INFO
certificate SIGNATURE
© Ravi Sandhu 2000-2004 3 © Ravi Sandhu 2000-2004 4
PGP BOTTOM UP
TRUST MODEL X.509 CERTIFICATES
RSA is the only known public-key private key: must be private for entire life,
cryptosystem in which the same may never leave smart card
public-private key pair can be used for ¾ needs to be securely destroyed after lifetime
¾ digital
signatures ¾ no need for backup or archiving (would
conflict with above)
¾ encryption
¾ no need to weaken or escrow due to law
perceived as a major advantage public key: must be archive possibly for a
long time
¾ should not be destroyed after lifetime identification info in addition to X.500 name
¾ may be weakened/escrowed due to law name other than X.500 name
¾ email address
public key:
issuer can state policy and usage
¾ no need to backup RSA or other encryption ¾ good enough for casual email but not good enough for
keys signing checks
¾ need to backup Diffie-Hellman key agreement limits on use of signature keys for further
keys certification
X.509v3 EXTENSIONS
X.509v3 EXTENSIONS CRITICALITY
X.509v3 EXTENSIONS
CRITICALITY X.509v3 NAMES
Compromise Revocation
Event Time
© Ravi Sandhu 2000-2004 25 © Ravi Sandhu 2000-2004 26
OCSP SHORT-LIVED
ON-LINE CERTIFICATE STATUS PROTOCOL CERTIFICATES
DELTA-CRLs INDIRECT-CRL
GENERAL HIERARCHICAL
CERTIFICATE SUSPENSION STRUCTURE
Z
Certificate
hold reason code in CRL
Supporting CRL entry extension X Y
¾ Instruction code: instructions on what
to do with held certificate
Q R S T
• call CA, repossess token
A C E G I K M O
a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 35 © Ravi Sandhu 2000-2004 36
GENERAL HIERARCHICAL TOP-DOWN HIERARCHICAL
STRUCTURE WITH ADDED LINKS STRUCTURE
Z Z
X Y X Y
Q R S T Q R S T
A C E G I K M O A C E G I K M O
a b c d e f g h i j k l m n o p a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 37 © Ravi Sandhu 2000-2004 38
Geo-Political
MITRE Certification Virginia Anonymous
GMU
Authorities
(CAs)
Bank Acquirer
Abrams ISSE Fairfax LEO
FOREST OF HIERARCHIES