Page 604 - StudyBook.pdf
P. 604
588 Chapter 10 • Public Key Infrastructure
■ Although a simple CRL only contains certain information about the revoked
certificate, it can still become a large file.
■ In a Delta CRL configuration, a base CRL is sent out to all end parties to ini-
tialize their copies of the CRL.After the base CRL is sent out, updates
known as deltas are sent out on a periodic basis to inform the end parties of
changes.
OCSP
OCSP was defined to help PKI certificate revocation get past the limitations of
using CRL schemes.To recap some of the keys to OCSP:
■ OCSP returns information relating only to certain certificates that have been
revoked.
■ With OCSP, there is no longer a need for the large files used in CRL to be
transmitted.
■ OCSP can only return information on a single certificate. OCSP does not
attempt to validate the certificate for the CA that has issued the certificate.
Suspension
Sometimes it becomes necessary to suspend a user’s certificate.A suspension usually
happens because a key is not going to be used for a period of time. For example, if
a company previously used a shopping cart tool for purchasing merchandise, but
became unhappy with its current online store and is rebuilding it, they could have
their CA suspend their certificate and keys.The reason this is done is to prevent the
unauthorized use of keys during an unused period. Eventually, while the certificate
is in a suspended mode, it must either be revoked or reactivated, or it will simply
expire.
Status Checking
The same status checking methods used for revocation apply to the suspension of
certificates. CAs use CRLs and OCSP to allow for the status of suspended certifi-
cates to be reviewed.The difference is that the reason for revocation is listed as
Certification Hold instead of the typical revocation reasons (such as change in owner
information, compromised keys, and so forth)
www.syngress.com
