Public Key Infrastructure
Public-Key Infrastructure
RFC 2822 (Internet Security Glossary) defines public-key infrastructure (PKI) as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of public keys. The Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) working group has been the driving force behind setting up a formal (and generic) model based on X.509 that is suitable for deploying a certificate-based architecture on the Internet. This section describes the PKIX model.
[pic]
Figure 14.7 shows the interrelationship among the key elements of the PKIX model. These elements are • End entity: o A generic term used to denote end users, devices (e.g., servers, routers), or any other entity that can be identified in the subject field of a public key certificate. End entities typically consume and/or support PKI-related services. o • Certification authority (CA): o The issuer of certificates and (usually) certificate revocation lists (CRLs). It may also support a variety of administrative functions, although these are often delegated to one or more Registration Authorities. o • Registration authority (RA): o An optional component that can assume a number of administrative functions from the CA. The RA is often associated with the End Entity registration process, but can assist in a number of other areas as well. • CRL issuer: o An optional component that a CA can delegate to publish CRLs. • Repository: o A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by End Entities.
PKIX Management Functions
PKIX identifies a number of management functions that potentially need to be supported by management
RFC 2822 (Internet Security Glossary) defines public-key infrastructure (PKI) as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of public keys. The Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) working group has been the driving force behind setting up a formal (and generic) model based on X.509 that is suitable for deploying a certificate-based architecture on the Internet. This section describes the PKIX model.
[pic]
Figure 14.7 shows the interrelationship among the key elements of the PKIX model. These elements are • End entity: o A generic term used to denote end users, devices (e.g., servers, routers), or any other entity that can be identified in the subject field of a public key certificate. End entities typically consume and/or support PKI-related services. o • Certification authority (CA): o The issuer of certificates and (usually) certificate revocation lists (CRLs). It may also support a variety of administrative functions, although these are often delegated to one or more Registration Authorities. o • Registration authority (RA): o An optional component that can assume a number of administrative functions from the CA. The RA is often associated with the End Entity registration process, but can assist in a number of other areas as well. • CRL issuer: o An optional component that a CA can delegate to publish CRLs. • Repository: o A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by End Entities.
PKIX Management Functions
PKIX identifies a number of management functions that potentially need to be supported by management