![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
Revoking PEM Public Keys Public keys are revoked for the following reasons:
RSA has had a certificate services center in operation since 1993 which certifies CAs, issues certificates, and provides CRL services. BBN Communications manufactures The SafeKeeper Certificate Issuing System, and Trusted Information Systems provides certification services and products to support certifying authorities and maintains a CRL on an E-mail accessible server. The future will likely bring central or regional repositories of CRLs (e.g., banks or credit card companies). These trusted third parties can be used to run an exhaustive check on whether a public keys certification has been revoked. The US Postal Service is interested in acting as a policy CA and providing electronic postal services which would include certifying public keys, sealing electronic documents with digital signatures, and encryption services. Checking Public Key Certificates and Certificate Revocation Lists There are several situations in which certificates and CRLs should be checked without hesitation.
With PEM, the capability to check certificate validity easily is important and is part of the protocol if properly implemented. The rapid accessibility of CRLs is essential for PEM to be useful and trusted. It is important to be able to understand the level of verification used by CAs when they have checked a users proof of identification and key validity. Not all CAs use the same identity certification criteria. The current certificate structures do not provide for such an indication. The need to check certificates and CRLs raises several questions that need to be addressed in all PEM certification security strategies, including:
Pretty Good Privacy (PGP) The latest versions of PGP provide the same security functions provided by PEMconfidentiality, integrity, signatory authentication, and nonrepudiation. PGP uses the International Data Encryption Algorithm (IDEA), instead of DES, for message encryption and MD5 for hashing. RSA is used for operations requiring a public key algorithm. Public key certification is based on the creation and maintenance of each individual users web of trust. Distribution of private (symmetric) keys is similar to PEM; they are encrypted using the public key of the person (or process) to whom they are to be distributed. Message encapsulation is different from encapsulation in PEM. PGP uses self-defining headers, which can be nested and, therefore, encrypted. Hence, less information is available for a traffic analysis attack. PGP uses a different trust model and certificate structure than PEM. PGPs trust model is a personal referential web structure that is uniquely established by every user. Every users web is different. Because this model does not require the existence of a formal CA infrastructure, PGP has experienced faster growth than PEM. PGP Public Key Certificates As with PEM, PGP certificates provide an association between a public key and its owner whose association and key validity are attested to by those users who have digitally signed the public key. PGP public key pairs are generated by individual users. The PGP public key certificate consists of two parts: the public key and the owners user ID and address (bidwell@prodigy.com), and the digital signatures of the key owner and other users who need the owners key. The key owner should sign the key to prevent forgery, or anyone could generate a key and associate them with the owners user ID and address.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |