Embed Size (px)
Citation preview
• certificate revocation list
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
strongSwan - Overview
1 It supports certificate revocation lists and the Online Certificate Status Protocol (OCSP)
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Digital signature - Non-repudiation
1 checking a "Certificate Revocation List" or via the "Online Certificate Status Protocol"
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Verisign - 2001 Code Signing Certificate Mistake
1 Because Verisign code-signing certificates do not specify a Certificate Revocation List
Distribution Point however, there was no way for them to be automatically detected as having been revoked,
placing Microsoft's customers at risk
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Pretty Good Privacy - Certificates
1 PGP versions have always included a way to cancel ('revoke') identity
certificates. A lost or compromised private key will require this if
communication security is to be retained by that user. This is, more or
less, equivalent to the certificate revocation lists of centralised PKI
schemes. Recent PGP versions have also supported certificate expiration
dates.https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
X.509
1 In cryptography, 'X.509' is an ITU-T standard for a public key
infrastructure (PKI) and Privilege Management Infrastructure (PMI).
X.509 specifies, amongst other things, standard formats for public
key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm.
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
X.509 - History and usage
1 In fact, the term X.509 certificate usually refers to the IETF's PKIX
Certificate and Certificate revocation list|CRL Profile of the X.509 v3
certificate standard, as specified in RFC 5280, commonly referred to as PKIX for 'Public Key Infrastructure
(X.509').
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
X.509 - Certificates
1 X.509 also includes standards for certificate revocation list (CRL)
implementations, an often neglected aspect of PKI systems. The IETF-
approved way of checking a certificate's validity is the Online
Certificate Status Protocol (OCSP). Firefox 3 enables OCSP checking by
default along with versions of Windows including Vista and later.
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
X.509 - Architectural weaknesses
1 * Use of blacklisting invalid certificates (using Certificate
revocation list|CRLs and Online Certificate Status Protocol|OCSP)
instead of whitelisting,
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
X.509 - PKI standards for X.509
1 * Online Certificate Status Protocol (OCSP) / Certificate Revocation List (CRL) - this is for validating proof of
identity
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Certificate authority - Authority revocation lists
1 An authority revocation list (ARL) is a form of certificate revocation list|CRL
containing certificates issued to certificate authorities, contrary to CRLs which contain revoked end-
entity certificates.
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Revocation list
1 In the operation of some cryptosystems, usually public key infrastructures (PKIs), a 'certificate
revocation list (CRL)' is a list of identity certificate|certificates (or more specifically, a list of serial
numbers for certificates) that have been revoked, and therefore, entities
presenting those (revoked) certificates should no longer be
trusted.https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Online Certificate Status Protocol
1 It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain
problems associated with using CRLs in a public key infrastructure (PKI)
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Online Certificate Status Protocol - Comparison to CRLs
1 * Since an OCSP response contains less information than a typical CRL
(certificate revocation list), OCSP can use networks and client resources
more efficiently.
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Digital signing - Non-repudiation
1 checking a Certificate Revocation List or via the Online Certificate Status Protocol
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Entrust - History
1 Prior to it becoming a private-equity company Entrust was included on the Russell 3000 Index in July 2008. In July 2007, Entrust
contributed PKI technology to the open-source community through Sun Microsystems| Sun
Microsystems, Inc. and the Mozilla Foundation. Specifically, Entrust supplied certificate
revocation list distribution points (CRL-DP), Patent 5,699,431, to Sun under a royalty-free license for incorporation of that capability into
the Mozilla open-source libraries.
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Certificate server - X.509 Description
1 The Internet Engineering Task Force RFC 2459, entitled Internet X.509
Public Key Infrastructure Certificate and CRL Profile, describes the
protocols for the X.509|X.509 v3 certificate and Certificate revocation list|X.509 v2 Certificate revocation
list as a part of the Internet PKI
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Certificate server - Implementation using Apache + mod_ssl
1 Mod_ssl features support for Secure Sockets Layer|SSLv2, Secure Sockets
Layer|SSLv3, and Transport Layer Security|TLSv1, with X.509
client/server based authentication and Certificate revocation list|
certificate revocation
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Security and safety features new to Windows Vista - Cryptography
1 Revocation improvements include native support for the Online
Certificate Status Protocol (OCSP) providing real-time certificate validity checking, Certificate revocation list|
CRL prefetching and CAPI2 Diagnostics
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
CAdES (computing) - Description
1 * RFC 3280 Internet X.509 Public Key Infrastructure (PKIX) Certificate and Certificate Revocation List (CRL)
Profile
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
List of cryptographic key types
1 * 'revoked key' - a public key that should no longer be used, typically
because its owner is no longer in the role for which it was issued or
because it may have been compromised. Such keys are placed
on a certificate revocation list or 'CRL'.
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
DigiNotar - Issuance of fraudulent certificates
1 Opera (browser)|Opera always checks the certificate revocation list of the certificate's issuer and so they
initially stated they did not need a security update
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
OCSP stapling - Motivation
1 OCSP has several advantages over older Certificate Revocation List
(CRL)-based certificate revocation-checking approaches
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
Cryptlib - Features
1 cryptlib provides other capabilities including full X.509/PKIX certificate handling (all X.509 versions from X.509v1 to X.509v4) with support for Secure
Electronic Transaction|SET, AuthentiCode|Microsoft AuthentiCode, Identrus, SigG, S/MIME,
SSL, and Qualified certificates, PKCS #7 certificate chains, handling of certification
requests and CRLs (certificate revocation lists) including automated checking of certificates
against CRLs and online checking using RTCS and OCSP, and issuing and revoking certificates using
CMP and SCEP
https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
For More Information, Visit:
• https://store.theartofservice.com/the-certificate-revocation-list-toolkit.html
The Art of Servicehttps://store.theartofservice.com
![X.509 Certificate and Certificate Revocation List (CRL) Extensions … · 2018. 5. 10. · [13] X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the](https://img.pdfslide.us/doc/110x75/60ab1b3751f1d7009f55ca93/x509-certificate-and-certificate-revocation-list-crl-extensions-2018-5-10.jpg)
![[MS-CSRA]: Certificate Services Remote Administration Protocol...checking provides an excellent introduction to certificate revocation lists (CRLs) and revocation concepts. For more](https://img.pdfslide.us/doc/110x75/6026e777d5e1500c727b1326/ms-csra-certificate-services-remote-administration-protocol-checking-provides.jpg)