Page 608 - StudyBook.pdf
P. 608
592 Chapter 10 • Public Key Infrastructure
EXAM WARNING
The most important thing to remember about certificate renewal is that
it occurs at or near the end of the certificate’s life cycle, and is never
due to a change of information.
Destruction
As we saw during the dot-com bust, there comes a time for some companies when
they no longer need their key pairs.When the famous chocolate-covered cock-
roach Web site, www.chocolatecrunchies.com, went out of business, they most
likely had a certificate issued to them for their online store.To get rid of some cap-
ital, they sold off some of their Web servers without clearing the data off of them.
On those Web servers were copies of Chocolate Crunchies’ public and private keys.
Now, a hacker buys a server off of the company and now has possession of their
keys.The hacker can now potentially impersonate Chocolate Crunchies by using
their key pair.
The point is, when there is no longer a need for a key pair, all record of the key
pair should be destroyed. Before a server is sold, the media needs to be erased and
overwritten so that there cannot be recovery of the keys. Paper copies of the keys
also need to be properly disposed of. Not only should the keys be destroyed, the
CA must be notified that Chocolate Crunchies has gone out of business, and the
certificate should be deregistered.
EXAM WARNING
Deregistering a key pair is different from revoking a key pair. When you
deregister a key pair, the association between the key pair, CA, and the
key owner is broken. When a key is revoked, it is because the informa-
tion is no longer valid or the private key was compromised, but the key
owner still exists.
www.syngress.com
