Certifying Authorities (CA)
|What is a CA?|
|What is a PKI?|
|What is key management?|
|What is the life cycle of a key?|
|Why do keys expire?|
|What is a CRL?|
Certification Authority (CA), such as IDRBT CA, is an entity that acts as a
trusted third party by confirming the identities of organizations and
individuals. A CA enlists a number of processes that are used to verify that an
organization or individual is exactly who or what they claim to be. Once
verification of the identities of the parties in question is satisfied, a CA
will issue that organization or individual a digital certificate. The digital
certificate serves to authenticate the identity of the owner as the CA as being
authentic has digitally verified it.
Think of a digital certificate as an electronic version of a passport that serves to verify the identity of an individual organization.
effort to arrive at a universally accepted definition of what a Public Key
Infrastructure (PKI) entails is an ongoing process among government and
standards organization personnel. The overall purpose of a PKI is to enable
secure transmission of information through the use of cryptography and digital
certificates. A PKI provides its users with a way to conduct electronic commerce
and electronic correspondence that ensures confidentiality, integrity of
information, authentication, access control, and non-repudiation.
A PKI enables secure electronic communication through the generation and distribution of key pairs and facilitates secure communication by publishing a directory of digital certificates, thus allowing access to any Public Key that it has generated.
integral internal component of a PKI is the Certification Authority (CA), which
acts as a trusted third party that vouches for the authenticity of any party
whose digital certificate it has signed. Users can implicitly trust any Public
Key that has been signed by the CA.
management involves the many processes and procedures that a Certification
Authority (CA) must undertake to ensure that a very fine line is never
breached�a line that exists between providing the Internet public with wide
open access to Public Keys and Certificate Revocation Lists (CRLs) and the
operation of a business where maintaining impenetrable security is always the
number one priority.
of the most important functions of a CA is to securely generate, distribute and
store keys. A CA must provide a timely, up-to-date Certificate Revocation List (CRL)
that includes all certificates which are no longer valid because either the
certificate (digital certificate) or Private Key was compromised in some way, or
because the certificate is now considered untrustworthy.
security reasons, keys have a limited lifetime of generally one year from the
date of issuance. IDRBT CA digital certificates and the keys that compose them
have a one-year expiration period to ensure that the keys are always 'fresh'. If
an unscrupulous attempt is made to compromise the keys, which could take years,
the attempt will become futile once the original keys expire.
a key becomes compromised, and if the compromise goes unnoticed, limiting the
lifetime of the key to one year can minimize potential damage.
typical life cycle of a key generated for the purpose of acquiring an IDRBT CA
certificate is described below:
Keys that have surpassed their expiration date are no longer valid, and should not be accepted by the recipient. Allowing the certificate to expire and then reapplying for a new one is more secure than renewing a certificate. If an unscrupulous individual was willing to spend time and resources to attack your private key, it would be possible to successfully compromise your key. The time necessary, however, would take years. Therefore, a one year expiration date can help prevent any long-term attempts at cracking your private key. In addition, as computer hardware that potentially could be used in an attempt to compromise one's key pair continues to improve, generating newer, longer keys every few years serves to more than offset any advances in hardware technologies.
Certificate Revocation List (CRL) is published and updated by a Certification
Authority (CA) and includes digital certificates that have been revoked by the
CA prior to their scheduled expiration date. The CA that issued/signed the
certificate in question is the CA that posts the CRL on its own web site, or
through some other means.
most obvious reason for revocation of a digital certificate is that the Private
Key of an individual or organization has been or is suspected of being
compromised. In order to prevent fraudulent use of the Private Key, the
certificate must be revoked. Revocation also occurs if the person named on the
certificate is no longer authorized to use that identity, such as a certificate
of an employee who is no longer employed by that company.
currently valid certificates (i.e., the expiration date on the certificate has
not lapsed) are revoked. If you receive an expired certificate attached to a
message, you should not accept it. Also, CRLs are updated at specific times of
the day-you could receive a message with a revoked certificate that would not
appear on a CRL until the next update. If the data transmitted is of significant
importance, it may be prudent to confirm with the CA the time the CRL was last
updated or when the next update will occur.