InfoSec - Digital Certificates
Revocation
A key handling procedure. A key may need to be revoked prior to its expiration. Revoked keys cannot be reinstated. The CA should be immediately notified when a key is revoked and its status entered on the CRL.
Renewal
A key handling procedure. An existing key can be renewed before it expires. However, continually renewing keys make them more vulnerable.
Escrow
A key handling procedure. Keys are manage by a third party such as trusted CA. The private key is split and each half is encrypted. The two halves are sent to the third party, which stores each half in a separate location.
Expiration
A key handling procedure. Keys have expiration dates. Some systems set keys to expire after a set period of time by default.
Suspension
A key handling procedure. The revocation of a key is permanent; key suspension is for a set period of time. The CA should be notified, but the key can be reinstated.
Public Key Cryptography Standards (PKCS)
A numbered set of PKI standards that have been defined by the RSA Corporation. These standards are based on the RSA public-key algorithm.
Certificate Repository (CR)
A public accessible directory that contains the certificates and CRLs published by a CA.
Certificate Policy (CP)
A published set of rules that govern the operation of a PKI. It provides recommended baseline security requirements for the user and operation of CA, RA and other PKI components.
M-of-N Control
A recovery technique. A users private key is encrypted and divided into a specific number of parts. The parts are distributed to other individuals, with an overlap.
Key Recovery Agent (KRA)
A recovery technique. Highly trusted person responsible for recovering lost or damaged digital certificates.
Direct Trust
A relationship exists between two individuals because one person knows the other person.
Certificate Practice Statement (CPS)
A technical document that details how the CA uses and manages documents, end users register for a digital certificate, how certificates are issued and revoked and private key protection.
Certificate Authority (CA)
An entity that issues digital certificates for others. A user provides information to this authority for identity verification. The user then generates public and private keys and sends the public key to the authority. The authority inserts this public key into the certificate.
Dual-Sided Certificate
Certificates in which the functionality is split between two certificates. A signing certificate is used to sign a message to prove that the sender is authentic. An encryption certificate is used for the actual encryption of the message. They reduce the need for multiple copies of the signing certificate.
Server Digital Certificates
Combine both server authentication and secure communication between clients and servers on the web.
Public Key Infrastructure (PKI)
Framework for all the entities involved in digital certificates to create, store, distribute, and revoke digital certificates. It is digital certificate management.
Personal Digital Certificates
Issued by a CA or RA directly to individuals.
Software Publisher Digital Certificates
Issued by software publishers to verify that their programs are secure and have not been tampered with.
Destruction
Key destruction removes all private and public keys along with the user's identification information in the CA.
Certificate Revocation List (CRL)
Lists revoked certificates. Can be accessed to check the certificate status of other users.
Bridge Trust Model
PKI trust model that users a CA. There is no single CA that signs the certificates. One CA acts as a facilitator to interconnects all other CAs. The facilitator doesn't issue digital certificates, it acts as the hub between hierarchal trust models and distributed trust models.
Distributed Trust Model
PKI trust model that uses a CA, where there are multiple CAs that sign certificates.
Hierarchical Trust Model
PKI trust model that uses a CA, where there is one master CA called the root.
Third Party Trust
Refers to a situation in which two individuals trust each other because each trusts a third party.
Trust Model
Refers to the type of trusting relationship that can exits between individuals or entities.
Registration Authority (RA)
Subordinate entity that handles some CA tasks such as processing certificate requests and authenticating users.
X.509 Digital Certificates
The most widely accepted international standard format for digital certificates.
Digital Certificate
This can be used to associate a user's identity to a public key. The user's public key that has itself been 'digitally signed' by a reputable source entrusted to sign it.
Certificate Life Cycle
This cycle is divided into four parts as digital certificated don't last forever. Those parts being, creation, suspension, revocation and expiration.
Key usage
This is an important aspect of dealing with keys. If more security is needed then a multiple pairs of dual keys can be created. One pair of keys may be used to encrypt information, the public key would be backed up to another location. The second pair would be used for digital signatures, the public key in that pair would never be backed up.
Key Storage
This is an important aspect of dealing with keys. Public keys can be stored by embedding them within digital certificates, while private keys can be stored on the user's local system. Private keys can be stored in hardware like smart cards or in tokens.
Single-Sided Certificate
When a user sends one digital certificate along with their message.