Page 595 - StudyBook.pdf
P. 595
Public Key Infrastructure • Chapter 10 579
Key Management and Certificate Lifecycle
Certificates and keys, just like drivers’ licenses and credit cards, have a life cycle.
Different factors play into the lifecycle of a particular key or certificate. Many
things can happen to affect the usable life span of a key—they may become com-
promised or their certificates may be revoked or destroyed. Certificates also have an
expiration date. Just like a license or credit card, a certificate is considered valid for
a certain period of time. Once the end of the usable time for the certificate has
expired, the certificate must be renewed or replaced.
Mechanisms that play a part in the life cycle of a certificate are:
■ Centralized vs. decentralized key management
■ Storage of private keys
■ Key escrow
■ Certificate expiration
■ Certificate revocation
■ Certificate suspension
■ Key recovery
■ Certificate renewal
■ Key destruction
■ Key usage
■ Multiple key pairs
Centralized vs. Decentralized
Different PKI implementations use different types of key management.A business
enterprise often uses centralized key management, with all of the private keys gener-
ated and held by a central system. Older implementations of PGP used decentralized
key management, since the keys are contained in a PGP users key ring and no one
entity is superior over another. Hierarchical CA models generally use decentralized
key management, where the keys are generated and managed by the intended
owner of the private key.
Whether to use centralized or decentralized key management depends on the
size of the organization.With decentralized key management, the private key can be
assumed to belong only to its intended owner; with centralized key management,
www.syngress.com
