Certificates and Certification Authorities
What is the difference between hierarchical and mesh PKIs?
(No such thing as truly hierarchical PKI) Hierarchical looks like a proper tree, with a self-loop at the root. Mesh PKI has more self loops, loops between nodes, and crossing of levels (not a perfect tree)
What is a digital certificate? Why do we need it?
A signed statement from a Certificate Authority that links a public key to a given subject. We need it to know that a public key is in fact linked to the person we think it is.
How are key pairs generated in a PKI?
By the subject (public key sent to CA), by the CA (private key sent to subject)
Where are the private keys stored? (CA, end-user)
CA doesn't store private keys; End-user can store on computer, on a hardware token, on a hardware security model, or in the cloud
What key usage types do you know?
Digital Signature (security services other than non-repudiation, certificate signing, or CRL signing), Non-Repudiation (verify digital signatures used to provide a non-repudiation service), Key Encipherment (encrypts the key (usually private) with another key (usually public)), Data Encipherment (encrypt user data other than key), Key agreement (when the sender and receiver of the public key need to derive the key without using encryption), Key Certification Signing (public key used to verify signature on certificate), CRL signing (when the subject public key is to verify a signature on revocation information), Encipher Only (public key can encipher data and confirm key agreement), Decipher Only (public key can decipher data and confirm key agreement)
Why do we need certificate revocation? What approaches do you know for it?
Ensure an attacker cannot use an obtained private key to sign documents or decrypt messages on the user's behalf. A certificate can expire (outside of valid time frame) or be revoked (permanent) or suspended (reversible). The CA changes the status of the certificate in it's own database
What makes a CA root?
Kind of defined in a circular manner: its certificate is used by a wide range of users in a certain community (e.g. Microsoft, Apple) as a trust anchor. Its a trusted CA's self-signed certificate
What is Public Key Infrastructure?
PKI is the set of organizations, crypto algorithms, standards, laws, assumptions etc. that can be used to ensure that a certain public key belongs to a certain individual.
what is the usual content of a digital certificate?
Serial number, subject, issuer, time validity, certificate policies, availability of revocation information, key usage, Public key of subject, CA's signature (private key), key identifiers, identifiers of algorithms used for qualified certificates: QCStatement, transaction limit
What are the main tasks of a Certificate Authority?
The organization that certifies that a given public key belongs to a given subject, "trusted third party"
What is a Certification Path?
The path through different CA's that allows the user to check whether a certificate is valid
How can PKI communities be connected?
Through transitivity. e.g. community A's root CA issues a certificate for the root of community B
What types of certificates do you know?
Webserver (TLS/SSL): Domain validated, Organization validated, extended validation