Certifying Authorities (CA)                  

What is a CA?  
What is a PKI?  
What is key management?  
What is the life cycle of a key?  
Why do keys expire?  
What is a CRL?


Other Guides

Introduction to Cryptography

Introduction to Secure Internet Commerce and E-mail

Public Key Cryptography




What is a Certification Authority (CA)?

A Certification Authority (CA), such as IDRBT CA, is an entity that acts as a trusted third party by confirming the identities of organizations and individuals. A CA enlists a number of processes that are used to verify that an organization or individual is exactly who or what they claim to be. Once verification of the identities of the parties in question is satisfied, a CA will issue that organization or individual a digital certificate. The digital certificate serves to authenticate the identity of the owner as the CA as being authentic has digitally verified it.

Think of a digital certificate as an electronic version of a passport that serves to verify the identity  of an individual organization.







What is a PKI?

The effort to arrive at a universally accepted definition of what a Public Key Infrastructure (PKI) entails is an ongoing process among government and standards organization personnel. The overall purpose of a PKI is to enable secure transmission of information through the use of cryptography and digital certificates. A PKI provides its users with a way to conduct electronic commerce and electronic correspondence that ensures confidentiality, integrity of information, authentication, access control, and non-repudiation.

A PKI enables secure electronic communication through the generation and distribution of key pairs and facilitates secure communication by publishing a directory of digital certificates, thus allowing access to any Public Key that it has generated.

The integral internal component of a PKI is the Certification Authority (CA), which acts as a trusted third party that vouches for the authenticity of any party whose digital certificate it has signed. Users can implicitly trust any Public Key that has been signed by the CA.                                                                                                                      Top




What is meant by key management?

Key management involves the many processes and procedures that a Certification Authority (CA) must undertake to ensure that a very fine line is never breached´┐Ża line that exists between providing the Internet public with wide open access to Public Keys and Certificate Revocation Lists (CRLs) and the operation of a business where maintaining impenetrable security is always the number one priority.

One of the most important functions of a CA is to securely generate, distribute and store keys. A CA must provide a timely, up-to-date Certificate Revocation List (CRL) that includes all certificates which are no longer valid because either the certificate (digital certificate) or Private Key was compromised in some way, or because the certificate is now considered untrustworthy.                                                                                                                                   Top




What is the life cycle of a key?

For security reasons, keys have a limited lifetime of generally one year from the date of issuance. IDRBT CA digital certificates and the keys that compose them have a one-year expiration period to ensure that the keys are always 'fresh'. If an unscrupulous attempt is made to compromise the keys, which could take years, the attempt will become futile once the original keys expire.

If a key becomes compromised, and if the compromise goes unnoticed, limiting the lifetime of the key to one year can minimize potential damage.

The typical life cycle of a key generated for the purpose of acquiring an IDRBT CA certificate is described below:

  1. Key generation and registration of the Public Key with IDRBT CA.

  2. Key distribution through the IDRBT CA.

  3. Key usage for encryption/decryption.

  4. Key revocation due to compromise or other causes.

  5. Key replacement due to suspected compromise.

  6. Key termination due to certificate (digital certificate) expiration.





Why do keys expire?

Keys that have surpassed their expiration date are no longer valid, and should not be accepted by the recipient. Allowing the certificate to expire and then reapplying for a new one is more secure than renewing a certificate. If an unscrupulous individual was willing to spend time and resources to attack your private key, it would be possible to successfully compromise your key. The time necessary, however, would take years. Therefore, a one year expiration date can help prevent any long-term attempts at cracking your private key. In addition, as computer hardware that potentially could be used in an attempt to compromise one's key pair continues to improve, generating newer, longer keys every few years serves to more than offset any advances in hardware technologies.






What is a Certificate Revocation List (CRL)?

A Certificate Revocation List (CRL) is published and updated by a Certification Authority (CA) and includes digital certificates that have been revoked by the CA prior to their scheduled expiration date. The CA that issued/signed the certificate in question is the CA that posts the CRL on its own web site, or through some other means.

The most obvious reason for revocation of a digital certificate is that the Private Key of an individual or organization has been or is suspected of being compromised. In order to prevent fraudulent use of the Private Key, the certificate must be revoked. Revocation also occurs if the person named on the certificate is no longer authorized to use that identity, such as a certificate of an employee who is no longer employed by that company.


Only currently valid certificates (i.e., the expiration date on the certificate has not lapsed) are revoked. If you receive an expired certificate attached to a message, you should not accept it. Also, CRLs are updated at specific times of the day-you could receive a message with a revoked certificate that would not appear on a CRL until the next update. If the data transmitted is of significant importance, it may be prudent to confirm with the CA the time the CRL was last updated or when the next update will occur.