China
Africa
Explore chapters and articles related to this topic
Key Management
Published in Khaleel Ahmad, M. N. Doja, Nur Izura Udzir, Manu Pratap Singh, Emerging Security Algorithms and Techniques, 2019
The certificates issued from CA have some period of validity, i.e., the certificate can be expired for various reasons, such as the private key of the communicating entity may be compromised, a certificate issued by a CA may be compromised, or the participating entities are no longer certified by CA. In this case, CA maintains the Certificate Revocation List (CRL) containing all the revoked certificates including certificates issued to both participating entity and other CA; the CA then posts the CRL to the directory with issuer name, issuer signature, the entry of each revoked certificate with the unique serial number, date of issue of CRL and the next scheduled date of the issue of the CRL.
Network Security
Published in Mário Marques da Silva, Cable and Wireless Networks, 2018
Each CA stores its signed digital certificates in a public repository (database), which is generally accessible to the public. Similarly, when the certificate ends the validation or if an error is detected in any distributed certificate, the CA revokes the digital certificate, and advertises it using a certificate revocation list. These databases are accessible by entities using the online certificate status protocol.
Machine identities
Published in Abbas Moallem, Human-Computer Interaction and Cybersecurity Handbook, 2018
Public key infrastructure (PKI) is used to refer to the ecosystem that controls the issuance, storage, and distribution of digital certificates and includes the following components: Certification authority (CA)—This issues digital certificates. CAs can be public (trusted by anyone on the Internet) or private [trusted only by specific organization(s) for the purposes of internal transactions] and are the root of trust.Registration authority (RA)—This is responsible for the verification of identities prior to the issuance of certificates.Certificate database—This maintains a record of certificates that have been issued or revoked for audit purposes.Key escrow/archival server—This is used to store copies of private keys corresponding to entities to audit/inspect communications between human and machine entities or for disaster recovery purposes.Certificate management system—This uses centrally defined policies that govern the issuance, distribution, and life cycle management of certificates.Certificate revocation lists (CRLs)—Certificates that have been issued but do not need to be trusted any longer (for a variety of reasons such as key compromise and entities that have left the organization) are revoked by the issuing authority (CA) and put on a “blacklist” called a CRL that can be used by relying entities to check on the status of known/unknown parties in a transaction.
A pre-signed response method based on online certificate status protocol request prediction
Published in Enterprise Information Systems, 2021
Chi-Hua Chen, Genggeng Liu, Yu-Chih Wei, Zuoyong Li, Bon-Yeh Lin
One of the certificate verification approach is to utilise the use of certificate revocation lists (CRLs) (Cooper et al. 2008), which are signed revocation lists issued by CAs. However, the drawbacks of this approach are that it is time-consuming and there is bandwidth limitation (Pachilakis et al. 2020). Currently the Online Certificate Status Protocol (OCSP) (Santesson et al. 2013) is the mainstream approach used to resolve the aforementioned problems. OCSP responders are maintained by CAs to respond to queries about certificate revocation statuses. Cryptographic nonces and digital signatures are used to counter attacks in OCSP (Santesson et al. 2013). The lengths of nonces are required to extend to 32 octets in order to prevent nonce collisions (Sahni 2020). However, maintaining the reliability of the OCSP is still a big challenge because more than 7% of OCSP checks on potential attacks are ignored due to query timeouts (Jones 2020).