KEMBAR78
X.509: Certificate Revocation List (CRL) | PDF | Public Key Certificate | Public Key Cryptography
Scribd
Upload
90 views5 pages

X.509: Certificate Revocation List (CRL)

The document discusses X.509 certificate revocation lists (CRLs) and their delivery methods of polling and pushing. It also describes the one-way, two-way, and three-way authentication procedures used with X.509 certificates. Version 3 certificates were introduced to address inadequacies in version 2 by allowing additional fields and extensions to be added to certificates.

Uploaded by

Shiva prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
90 views5 pages

X.509: Certificate Revocation List (CRL)

The document discusses X.509 certificate revocation lists (CRLs) and their delivery methods of polling and pushing. It also describes the one-way, two-way, and three-way authentication procedures used with X.509 certificates. Version 3 certificates were introduced to address inadequacies in version 2 by allowing additional fields and extensions to be added to certificates.

Uploaded by

Shiva prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

X.

509: Certificate Revocation List (CRL)

21

X.509: CRL delivery


Two basic Certificate Revocation List delivery models:

„ Polling: the current CRL is requested by the


certificate user when he/she needs key on a digital
certificate
„ Problem: time delay between revocation and publication
„ Pushing: the new CRL is delivered by the CA to the
user as soon as new revocation occurs
„ Problems: storage of new pushed CRLs even if irrelevant
and danger of interception and deletion

22
X.509: Authentication Procedures

„ Three alternative authentication procedures


„ Each use public-key signatures

„ Each assumes that two parties know each

other’s public key.


„ either obtained from Directory

„ or obtained in an initial message

23

X.509: One-way Authentication

„ A single transfer of information from one user (A)


to another (B) and establishes the following:
„ Identity of A and message generated by A

„ Message is intended for B

„ Integrity and originality of the message.

24
X.509: Two-way Authentication

„ In addition, two-way authentication establishes the


following:
„ identity of B and that the reply message is

generated by B (the target of the first message)


„ message is intended for A

„ integrity and originality of the reply

25

X.509: Three-way Authentication

„ Final message from A to B contains a signed copy


of the nonce (rB) received from B.
„ eliminates the need to check timestamps.

„ used when synchronized clocks are not


available.
26
X.509 Version2 Inadequacies and
Version3 Solution
Insufficient information conveyed in the certificate
„ Subject field issues
„ inadequate to identify key owner

„ inadequate for many applications (that require, for


example, e-mail or URL)
„ No security policy information
„ No method to limit damage (in case of faulty or malicious CA)
„ No key differentiation
„ Solution: two approaches
„ either add fields to version 2 format

„ or add optional extension fields (!)

27

X.509 Version 3 Certificate


Note: public key infrastructure in
Windows 2000 supports X.509
version 3 certificates.

The definitions for the Version 3


fields are:
„ Version: Version of the
certificate format; for
example, version 3 (code is 2).

28
X.509 Version 3 Certificate
„ Certificate Serial Number:
The unique integer that is
assigned by the issuing CA.
„ The CA maintains an
audit history for each
certificate so that
certificates can be
traced by their serial
numbers.
„ Revoked certificates
also can be traced by
their serial numbers
(and the issuing CA’s
name).

29

X.509 Version 3 Certificate

„ Certificate (Signature)
Algorithm Identifier: The
public key cryptography and
message digest algorithms
that are used by the issuing
CA to digitally sign the
certificate.
„ Issuer Name: The name of
the issuing CA such as:
„ X.500 directory name
„ Internet e-mail address
„ X.400 e-mail address
„ URL

30

You might also like