Repositories meant as collections of Certificates and Certificate
Revocation Lists.
Certificate VS Public Key
The certificate binds the pub key to a subject, for a specific
time interval, and gets signed by the certificate authority.
Multiple certificates constitute the "identification path"
finalized to the validation of a public key.
Certificate Authority Certificates:
Cross-certificates:
define the trust relation between two
certificate authorities.
Self-issued cert:
Issuer and signer is the same entity
Self-signed cert:
Issuer and signer is the same entity (Self-issued)
+ The contained pubkey can verify the signature.
ROOT CERTS are Self-signed.
Certificate Revocation List:
On a public repo, signed by CA, contains serial numbers of the
keys revoked by the CA.
A recent CRL needs to be verified upon certificate validation.
The design is somewhat flawed: in the time window between CRL
updates, a revoked certificate is considered valid.
Alternatives: Online Certificate Status Protocol (OCSR)
Online Certificate Status Protocol (not part of RFC):
Not implemented everywhere (e.g. certain browsers do not)
Possible privacy issues (online check on need implies
disclosure).
Check wikipedia page for details.
X509 format:
In ASN-1 (a general purpose Type Length Value format)
[
{
certificate, -> {
sig_algorithm, version,
sig_value serial_no,
}, signature,
... validity,
] subject_name,
subject_pubkey
}