Page 582 - StudyBook.pdf
P. 582

566    Chapter 10 • Public Key Infrastructure

             The RA is usually a physical outlet, at which a party will present itself, its docu-
             mentation, and its certificate request.The RA verifies the physical documentation,
             ensures that it matches the information in the certificate request, and that the doc-
             umentation is sufficient to prove the identity claimed by the desired certificate.The
             RA typically also takes payment on behalf of itself and the CA, and on the basis of
             complete identification and payment, will request the CA to issue the requested
             certificate.
                 RAs are found in stand-alone or hierarchical models where the workload of the
             CA may need to be offloaded to other servers.


              EXAM WARNING

                  Make sure you understand the difference between a CA and a RA. You
                  will need to know when a RA would be used within a PKI.




                 Since many PKI implementations become very large, there must be a system in
             place to manage the issuance, revocation, and general management of certificates.
             PKI, being a public key infrastructure, must generally also be able to store certificates
             and public keys in a directory that is publicly accessible, the directory service.
                 The private and public key of a key pair are created at the same time, using a
             predetermined algorithm. Ideally, the keys are created by the person who will be
             holding the private key, so that it can be ensured that nobody else ever touches the
             private key. Some CA services provide for the CA to create public and private keys,
             as well as the certificate signing request, on behalf of the key holder, and will then
             send the private key and issued certificate to the key holder, generally as a Personal
             Information Exchange (PFX) file.This is a convenience for those certificate
             requestors who are willing to sacrifice the security of being the only parties to
             know their private key, so that they may get a certificate without having to know
             the process involved.
                 The private key is created by (or given by the CA to) the person, computer, or
             company that is attempting to establish its credentials.The public key is then stored
             in its certificate in a directory that is readily accessible by any party wishing to
             verify the credentials of the certificate holder. For example, if Ben wants to estab-
             lish secure communications with Jerry, he can obtain Jerry’s public key (from the
             CA, from a third party, or direct from Ben) and encrypt a message to him using
             Jerry’s public key. If Ben is authenticating himself to Jerry (called mutual authentica-
             tion), Ben signs his message using his own private key.When Jerry receives the


          www.syngress.com
   577   578   579   580   581   582   583   584   585   586   587