Validity Models Flashcards
1
Q
Certification service provider
A
- Serves as trust anchor in hierarchical PKIs
- Responsible for correct operation of the PKI
- Trusted third party
- “Home” of the issuer
- Provides entities with PKI services
- Usually composted of various components (authorities)
2
Q
CSP components (authorities)
A
- Registration authority
- Certification Authority
- Directory Services
3
Q
Registration authority
A
- Contact point for (prospective) PKI entities
- Register prospective entities
- Establish “customer relationship”
- Accept requests from entities
- Usually online
4
Q
RA: Registration
A
- Establish identity, contact information, client preferences, billing data, public keys and proof-of-possession (optional)
- Secure “Out-of-Band” communication channel
- Checking the prospective participant’s authorization
- Storing of the registration dataset
- Creation of a unique digital name (for the certificate)
5
Q
Proof of Possession: Certificate request message format
A
- Defines a PoP field to include PoP information into certificate request messages
- Content of PoP field depend on key type:
-> Signature keys: signature on a piece of data containing the requestor’s identity
-> Encryption keys: providing private key to CA/RA, direct method, indirect method - Key agreement keys: establishing ephemeral key + employing one of the methods defined for encryption keys or providing a MAC over certificate request computed with the ephemeral key
6
Q
PoP: Encryption keys
A
- Direct: Encrypt a value and have the entity decrypt it
- Indirect: Encrypt the certificate and have the entity decrypt it
7
Q
PoP: Key agreement keys
A
Establishment of a shared secret key between CSP and entity
8
Q
Secure “Out-of-Band” channel
A
- Independent of the PKI:
-> Face-to-Face communication (i.e. local presence)
-> Previously established shared secrets (e.g. passwords)
-> Third-party services
9
Q
RA models
A
- Centralized: One RA for all participants
- Decentralized (Local RA): Different RAs for different participant groups
- Hybrid models: E.g. distributed collection of data, but centralized data management
10
Q
Reasons for decentralization
A
- Topology (e.g. lots of company branches)
- Separation of responsibilities
- On-site registration
-> better identification (known requester)
-> distribution of the cost (registration is time consuming)
-> less work for the end-entity (e.g. registration at the workplace)
-> use of established workflows - Fail-safeness
11
Q
Security requirements for registration
A
- Correctness of the registration data set
-> checking during ascertainment
-> obsolete data refresh - Enforce the Certificate Policy
-> Completeness of the registration data set
-> Authorization - Data protection
-> Access control for registration data sets - Integrity protection of the data
-> CRC, MAC, digital signature, … - Availability of the data
-> Backup - Verifiability of the processes (auditing acceptability)
-> Logging
12
Q
Certificate classes
A
- Not part of X.509 specification
- Classification depends on vendor
- Verisign (not existing anymore) - to differentiate certificate purposes:
-> Class 1 for individuals, intended for email
-> Class 2 for organizations, for which proof of identity is required
-> Class 3 for servers and software signing - GlobalSign, Secorio - to different strength of identity validation for personal certificates
-> Class 1 only include the validation of the email address
-> Class 2 includes more thorough validation (e.g. company existence, passport and/or address validation) - No universal meaning, mainly marketing purposes
13
Q
Classification for TLS certificates
A
- Also not part of X.509 standard but commonly agreed
- Describes the strength of performed identity validation
- Indicated via OID in the X.509 Certificate Policies extension
- 3 types:
-> domain validation (DV), existence & control over domain verified
-> organization validation (OV), some additional checks regarding the requesting organization
-> extended validation (EV), thorough validation of the requesting organization
14
Q
EV certificates: Scope
A
Are intended for use in establishing web-based data communication conduits via TLS/SSL protocols
15
Q
EV certificates: Primary purposes
A
- Identify the legal entity that controls a website
- Provide reasonable assurance that the website is controlled by a specific legal entity identified by:
-> name
-> address of place of business
-> jurisdiction of incorporation
-> and registration number - Enable the encrypted communication of information