Roles in a public key infrastructure

Understanding the roles involved is essential for designing a public key infrastructure.

The term "public key infrastructure" encompasses much more than the technical components and is often misleadingly used.

In summary, a public key infrastructure is both an authentication technology and the totality of all the components involved.

Continue reading „Rollen in einer Public Key Infrastruktur“

Basics of online responders (Online Certificate Status Protocol, OCSP)

Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.

This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.

As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.

The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.

Continue reading „Grundlagen Onlineresponder (Online Certificate Status Protocol, OCSP)“

Overview of the setting options for blocking configurations of the online responder (OCSP).

If a blocking configuration is configured for an online responder, there are various setting options that are discussed below.

Continue reading „Übersicht über die Einstellungsmöglichkeiten für Sperrkonfigurationen des Onlineresponders (OCSP)“

Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).

With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Continue reading „Verwenden von HTTP über Transport Layer Security (HTTPS) für die Sperrlistenverteilungspunkte (CDP) und den Onlineresponder (OCSP)“

Allow requesting a specific signature key on a certification authority

The Microsoft Certification Authority always signs certificates using the key associated with the most recent Certification Authority Certificate. The signing certificate for an OCSP response should be in accordance with RFC 6960 but signed by the same key as the certificate to be verified:

The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation.

However, if the certification authority certificate is renewed and a new key pair is used in the process, it is necessary for the online responder to continue to maintain valid signature certificates for the certificates issued with the previous certification authority certificate, since these are ultimately still valid and must be checked for revocation.

Continue reading „Die Beantragung eines bestimmten Signaturschlüssels auf einer Zertifizierungsstelle erlauben“