Page 591 - StudyBook.pdf
P. 591

Public Key Infrastructure • Chapter 10  575

                 a certificate is revoked because of key compromise, you must publish the date the
                 certificate was revoked, as well as the last date that communications were consid-
                 ered trustworthy.
                    When a certificate revocation request is sent to a CA, the CA must be able to
                 authenticate the request with the certificate owner. Once the CA has authenticated
                 the request, the certificate is revoked and notification is sent out. Certificate owners
                 are not the only ones who can revoke a certificate.A PKI administrator can revoke
                 a certificate, but without authenticating the request with the certificate owner.A
                 good example of this is a corporate PKI. If Mary, an employee of SomeCompany,
                 Inc. leaves the company unexpectedly, the administrator will want to revoke her
                 certificate. Since Mary is gone, she is not available to authenticate the request.
                 Therefore, the administrator of the PKI is granted the ability to revoke the license.



                 NOTE
                      A revoked certificate cannot be un-revoked. Revocation is permanent,
                      and a new certificate must be issued if a certificate is needed to fill the
                      purpose of the revoked certificate.





                 Certificate Revocation List

                 The X.509 standard requires that CA’s publish certificate revocation lists (CRLs).
                 In their simplest form, CRLs are a published form listing the revocation status of
                 certificates that the CA manages.There are several forms that revocation lists may
                 take. Following are descriptions of two of them—simple CRLs and delta CRLs.

                 Simple CRL

                 A simple CRL is a container that holds a list of revoked certificates with the name
                 of the CA, the time the CRL was published, and when the next CRL will be pub-
                 lished.A simple CRL is a single file that continues to grow over time.The fact that
                 only information about the certificate is included, and not the certificate itself,
                 controls the size of a simple CRL container.

                 Delta CRL

                 Delta CRLs handle the issues that simple CRLs cannot—size and distribution.
                 Although a simple CRL only contains certain information about a revoked certifi-




                                                                              www.syngress.com
   586   587   588   589   590   591   592   593   594   595   596