Page 592 - StudyBook.pdf
P. 592

576    Chapter 10 • Public Key Infrastructure

             cate, it can still become a large file.The issue here is: how do you continually dis-
             tribute a large file to all parties that need to see the CRL? The answer is Delta
             CRLs. In a Delta CRL configuration, a base CRL is sent to all end parties to ini-
             tialize their copies of the CRL.After the base CRL is sent out, updates known as
             deltas are sent out on a periodic basis to inform the end parties of any changes.
                 Another method of verifying the state of a certificate is called the Online
             Certificate Status Protocol (OCSP).

             OCSP

             The OCSP was defined to help PKI certificate revocation bypass the limitations of
             CRL schemes. OCSP returns information relating only to certain certificates that
             have been revoked.With OCSP, there is no need for the large files used in a CRL
             to be transmitted.A query is sent to a CA regarding a particular certificate over
             transport protocols such as Hypertext Transfer Protocol (HTTP). Once the query is
             received and processed by the CA, an OCSP responder replies to the originator with
             the status of the certificate, as well as information regarding the response.An OCSP
             response consists of:

                  ■   The status of the certificate ( “good,”“revoked,” or “unknown”)
                  ■   The last update on the status of the certificate
                  ■   The next time the status will be updated

                  ■   The time that the response was sent back to the requestor
                 One of the most glaring weaknesses of OCSP is that it can only return infor-
             mation on a single certificate, and does not attempt to validate the certificate for
             the CA that issued it.

             Standards and Protocols

             Without standards and protocols, a juggernaut like PKI would become unmanage-
             able. For a real-life example, look at the U.S. railroad system in its earlier days.
             Different railroad companies were using different size rails, and different widths
             between the rails.This made it impossible for a train to make it cross-country, and
             in some cases, across regions. In the end, it cost millions of dollars to standardize on
             a particular type of track.
                 To avoid this type of disaster, a set of standards was developed early on for PKI.
             The Public-Key Cryptography Standards (PKCS) are standard protocols used for
             securing the exchange of information through PKI.The list of PKCS standards was



          www.syngress.com
   587   588   589   590   591   592   593   594   595   596   597