Understanding Authority And PKI Trust System
Understanding Authority And PKI Trust System
This validates that the website identity is true. The certificate is saved locally by the web browser and is then used in subsequent transactions. The website’s public key is included in the certificate and is used to verify future communications between the website and the client.
The Public Key Infrastructure
It consists of the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.
The next figure shows how the elements of the PKI interoperate:
- In this example, Bob has received his digital certificate from the CA. This certificate is used whenever Bob communicates with other parties.
- Bob communicates with Alice.
- When Alice receives Bob’s digital certificate, she communicates with the trusted CA to validate Bob’s identity.
The PKI Authorities System
CAs, especially those that are outsourced, issue certificates based on classes that determine how trusted a certificate is.
|0||Used for testing in situations in which no checks have been performed.|
|1||Used by individuals who require verification of email.|
|2||Used by organizations for which proof of identity is required.|
|3||Used for servers and software signing. Independent verification and checking of identity and authority is done by the certificate authority.|
|4||Used for online business transactions between companies.|
|5||Used for private organizations or government security.|
The PKI Trust System
As shown in the figure below, a single CA, called the root CA, issues all the certificates to the end-users, which are usually within the same organization. The benefit of this approach is its simplicity. However, it is difficult to scale to a large environment because it requires a strictly centralized administration, which creates a single point of failure.
Single-Root PKI Topology
Cross-certified CA topologies – As shown in the figure below, this is a peer-to-peer model in which individual CAs establish trust relationships with other CAs by cross-certifying CA certificates. Users in either CA domain are also assured that they can trust each other.
Interoperability of Different PKI Vendors
To address this interoperability concern, the IETF published the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527). The X.509 version 3 (X.509 v3) standard defines the format of a digital certificate.
Certificate Enrollment, Authentication, and Revocation
Certificates must sometimes be revoked. For example, a digital certificate can be revoked if a key is compromised or if it is no longer needed.
Here are two of the most common methods of revocation:
- Certificate Revocation List (CRL) – A list of revoked certificate serial numbers that have been invalidated because they expired. PKI entities regularly poll the CRL repository to receive the current CRL.
- Online Certificate Status Protocol (OCSP) – An internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate. Revocation information is immediately pushed to an online database.
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
Follow Us on Twitter. Click Here.
Many Crypto. One place. Use Roqqu
Hi, I now use RavenBank to send, receive and save money. I also pay my bills with ease, you should try it out too