Reads on Security (x509 certificates)

RFC5280

Entities:
Users
Certificate authority
Registration authority
Repositories

Repositories meant as collections of Certificates and Certificate
Revocation Lists.

Certificate VS Public Key
The certificate binds the pub key to a subject, for a specific
time interval, and gets signed by the certificate authority.
Multiple certificates constitute the "identification path"
finalized to the validation of a public key.

Certificate Authority Certificates:

Cross-certificates:
 define the trust relation between two
 certificate authorities.

Self-issued cert:
 Issuer and signer is the same entity

Self-signed cert:
 Issuer and signer is the same entity (Self-issued)
 + The contained pubkey can verify the signature.
 ROOT CERTS are Self-signed.

Certificate Revocation List:
On a public repo, signed by CA, contains serial numbers of the
keys revoked by the CA.
A recent CRL needs to be verified upon certificate validation.
The design is somewhat flawed: in the time window between CRL
updates, a revoked certificate is considered valid.
Alternatives: Online Certificate Status Protocol (OCSR)

Online Certificate Status Protocol (not part of RFC):
Not implemented everywhere (e.g. certain browsers do not)
Possible privacy issues (online check on need implies
disclosure).
Check wikipedia page for details.

X509 format:
 In ASN-1 (a general purpose Type Length Value format)
   [
     {
       certificate,    -> {
       sig_algorithm,       version,
       sig_value            serial_no,
     },                     signature,
     ...                    validity,
   ]                        subject_name,
                            subject_pubkey
                          }

You are viewing proxied material from dacav.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.