Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pki 202 Architechture Models and CRLs


Published on

Published in: Technology, Education
  • Be the first to comment

Pki 202 Architechture Models and CRLs

  1. 1. PKI 202 – Architecture Models and CRLs Aman Hardikar
  2. 2. Agenda • Architecture Models • Subordinate • Cross certified mesh • Bridge • Trusted list • Revocation • CRL • OCSP
  3. 3. Overview Available at Mindmap:
  4. 4. Topics Today
  5. 5. PKI Trust Models The fundamental purpose of PKI is to represent the trust relationship between participating parties. The verifier verifies the chain of trust. Four models exist: • Subordinate Hierarchy • Cross Certified Mesh • Bridge CA • Trusted List
  6. 6. Subordinate Hierarchy • Two or more CAs in a hierarchical relationship • Good for single enterprise applications • Hard to implement between enterprises
  7. 7. Cross Certified Mesh • Each internal CA signs the other PKI’s public verification keys • Good for dynamically changing enterprise PKI applications • Scalability is a major issue. Need to support n(n-1) cross certifications
  8. 8. Bridge CA • Only the Root CAs participate in the cross certification • Solves the issues with the mesh model
  9. 9. Trusted List • Uses a set of publicly trusted root certificates • Ex: Internet Browsers
  10. 10. Traditional CRLs Relying party checks the certificate against the latest published CRLs Disadvantage: Long CRLs and the number the users directly proportional to the performance of the network.
  11. 11. Modified CRLs • Overissued CRLs • Segmented CRLs • Delta CRLs • Sliding window (overissued delta) CRLs
  12. 12. OCSP Online Certificate Status Protocol • Client – Server model • Client requests status of a certificate • Server sends a signed response back • Advantages • Very small request and response • Disadvantages • All responses need to be signed increasing the load on the server • Clients must be online/connected to check the status
  13. 13. SSLAuditor3 Preview Report generation code needs few fixes
  14. 14. Next Presentations PKI Applications SSL S/MIME PGP IKE SSLAuditor3 demo PKI Architecture Weakness / Audit Architecture Weaknesses Auditing Mitigation Procedure Best Practices
  15. 15. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland