Page 603 - StudyBook.pdf
P. 603
Public Key Infrastructure • Chapter 10 587
TEST DAY TIP
Do not get tripped up by a question about a certificate being revoked.
The thing to remember is that crucial information in the certificate has
changed or the key has been compromised
When a certificate revocation request is sent to a CA, the CA must be able to
authenticate the request with the certificate owner; otherwise, anyone could revoke
your certificate. Certificate owners are not the only ones who can revoke a certifi-
cate.A PKI administrator can also revoke a certificate, without authenticating the
request with the certificate owner.A good example of this is in a corporate PKI,
where certificates should be revoked immediately upon termination of an
employee.
Once the CA has authenticated the revocation request, the certificate is
revoked and notification is sent out.A PKI user needs to check the status of a
company’s or person’s certificate to know when it has been revoked.
Status Checking
As discussed earlier, there are two methods of checking the revocation status of cer-
tificates: CRLs and the OCSP.
CRL
The X.509 standard requires that CAs publish CRLs.The list in its simplest form is
a published form listing the revocation status of certificates that the CA manages.
There are several forms that the revocation list may take.To recap simple CRLs and
the delta CRLs:
■ A simple CRL is a container that holds the list of revoked certificates.
■ A simple CRL also contains the name of the CA, the time and date the CRL
was published, and when the next CRL will be published.
■ A simple CRL is a single file that continues to grow over time.
■ The fact that only information about the certificate is included and not the
certificate itself, limits the size of a simple CRL container.
■ Delta CRLs were created to handle issues that simple CRLs cannot—size and
distribution.
www.syngress.com
