Pki 202 Architechture Models and CRLs
-
Upload
ncc-group -
Category
Technology
-
view
582 -
download
4
description
Transcript of Pki 202 Architechture Models and CRLs
![Page 1: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/1.jpg)
PKI 202 – Architecture Models and CRLs Aman Hardikar
![Page 2: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/2.jpg)
Agenda
• Architecture Models
• Subordinate
• Cross certified mesh
• Bridge
• Trusted list
• Revocation
• CRL
• OCSP
![Page 3: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/3.jpg)
Overview
Available at www.amanhardikar.com/mindmaps.html
Mindmap:
![Page 4: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/4.jpg)
Topics Today
![Page 5: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/5.jpg)
PKI Trust Models
The fundamental purpose of PKI is to represent
the trust relationship between participating
parties.
The verifier verifies the chain of trust.
Four models exist:
• Subordinate Hierarchy
• Cross Certified Mesh
• Bridge CA
• Trusted List
![Page 6: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/6.jpg)
Subordinate Hierarchy
• Two or more CAs in a hierarchical relationship
• Good for single enterprise applications
• Hard to implement between enterprises
![Page 7: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/7.jpg)
Cross Certified Mesh
• Each internal CA signs the other PKI’s public verification keys
• Good for dynamically changing enterprise PKI applications
• Scalability is a major issue. Need to support n(n-1) cross certifications
![Page 8: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/8.jpg)
Bridge CA
• Only the Root CAs participate in the cross certification
• Solves the issues with the mesh model
![Page 9: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/9.jpg)
Trusted List
• Uses a set of publicly trusted root
certificates
• Ex: Internet Browsers
![Page 10: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/10.jpg)
Traditional CRLs
Relying party checks the certificate against the latest published
CRLs
Disadvantage:
Long CRLs and the number the users directly proportional to the
performance of the network.
![Page 11: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/11.jpg)
Modified CRLs
• Overissued CRLs
• Segmented CRLs
• Delta CRLs
• Sliding window (overissued delta) CRLs
![Page 12: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/12.jpg)
OCSP
Online Certificate Status Protocol
• Client – Server model
• Client requests status of a certificate
• Server sends a signed response back
• Advantages
• Very small request and response
• Disadvantages
• All responses need to be signed increasing the load on the server
• Clients must be online/connected to check the status
![Page 13: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/13.jpg)
SSLAuditor3 Preview
Report generation code needs few fixes
![Page 14: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/14.jpg)
Next Presentations
PKI Applications
SSL
S/MIME
PGP
IKE
SSLAuditor3 demo
PKI Architecture Weakness / Audit
Architecture Weaknesses
Auditing
Mitigation Procedure
Best Practices
![Page 15: Pki 202 Architechture Models and CRLs](https://reader033.fdocuments.us/reader033/viewer/2022042713/5472bf59b4af9f980a8b4fc9/html5/thumbnails/15.jpg)
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland