|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Need more practice? 300 additional Security+ questions!|
|Get It Here!|
(Page 4 of 6)
PKI (Public Key Infrastructure)
You explored PKI (Public Key Infrastructure),
which is the combination of software, encryption technologies and services
allowing organizations to protect the security of their communications
and data. PKIs are generally implemented with public/private
key systems, and use digital certificates issued and validated by certificate
authorities for authentication.
You discovered important elements
of a PKI including:
- Digital Certificates, a digital ID card
binding a public key to the individual or item such as a server identified
by the certificate; most certificates are based on the X.509 certificate
standard and include information like the X.509 version, expiration
date, serial number, name of issuing certificate authority, name of
individual to whom certificate belongs and their public key; versions
in common use include X.509v2 and X.509v3 which adds custom extensions
- Certificate Authority, or CA, the
digital equivalent of a notary public, which is a trusted third party
that can verify the legitimacy of a public/private key pair as belonging
to the individual in question; they create key pairs, publish public
keys in directories, provide services such as revocation and expiration
for keys, verify certificate status in response to queries, etc.
- Certificate Policy, the set of rules issued
by a CA indicating the applicability of a certificate to a class of
applications with common security requirements; describes rules for
the issuance, management and use of certificates issued by that CA.
- Certificate Practice Statement, or CPS,
a more detailed statement of the procedures and policies used by the
CA in managing the certificates it issues; includes operational procedures
and a description of the organizations certificate management
system; tends to be much more detailed than a Certificate Policy.
- Certificate Revocation List, or CRL,
a list of all revoked, expired or suspended certificates which is a
time-stamped list digitally signed with the CAs private key; one
problem with CRLs is that they are typically updated once a day
or so, rather than in real time, so there can be a delay between the
time revocation is requested and the time a certificate appears in the
In taking a more in-depth look at
certificates, you learned that certificate authorities may be arranged
in various ways; there may be a single certificate authority, or a combination
of several, used in managing a PKI. Trust is the confident
reliance on an entity or organization; in the PKI world it often describes
the relationship between the certificate holder and the issuing CA,
or viewer of a certificate and the issuing CA. Trust models
are used to describe the chain of trust, that indicates
how trust in an entity affects trust in other entities, similar to the
way trusts work in Windows 2000 domain environments. Some common CA
trust models include:
- Web of Trust, no central authority; each
user creates and signs certificates for people they know; PGP uses this
- Single CA, each entity is issued a public
key, over a secure channel, which is generally issued by a single CA;
there is a single point of contact to check certificate status and to
request certificate actions such as revocation.
- Hierarchical, a tree-structured model
involving multiple CAs with a Root CA at the top, using lower-level
CAs whose certificates are signed by the Root CA, for improved
scalability; better for large hierarchical organizations like the military
than for distributed, non-centralized peer-to-peer uses.
- Browser Trust List, or CA list, in which
each user has a list of public keys for all the CAs the user trusts.
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.