Components of a PKI

Creating a large PKI involves more than simply the CA and users who obtain certificates. It also involves substantial organizational and legal work. When we consider this in its entirety, we see that five main areas constitute the PKI:

■ CAs to provide management of keys

■ PKI users (people, devices, servers)

■ Storage and protocols

■ Supporting organizational framework (practices) and user authentication through Local Registration Authorities (LRA)

■ Supporting legal framework

A number of vendors provide effective CA servers. These act as a managed service or may be an end-user product; this varies by vendor. The primary providers are as follows:

/Key i Topic

■ Cybertrust

■ Entrust Technologies

Classes of Certificates

CAs can issue a number of different classes of certificates. These classes vary, depending on how trusted a certificate is. For instance, an outsourcing vendor such as VeriSign or RSA might run a single CA, issuing certificates of different classes. The customers who obtain these certificates then can use this CA that they need based on their desired level of trust.

Certificate classes are defined by a number, 0 through 4. The higher the number, the more trusted the certificate. So what determines the "trust" in a given certificate?

Trust in the certificate generally is determined by how rigorous the verification process was with regard to the holder's identity at the time the certificate was issued. Let's consider an example.

If an organization wanted a class 0 certificate, it might be issued without any checks. This form of certificate might be used for testing purposes internally. A class 1 certificate, in contrast, would likely require an e-mail reply from the holder to confirm her wish to enroll. This is still a very weak form of authentication for the user, but again, a class 1 certificate is not highly trusted. If an organization requires a higher level of trust for its certificate, it may go through the process to obtain a class 3 or 4 certificate. Before these certificates are issued, the future holder is required to prove her identity. The applicant must authenticate her public key by appearing in person, with a minimum of two official ID documents. As you can see, the various classes of certificates range greatly in their degree of trust to meet an organization's needs.

Examining the PKI Topology of a Single Root CA

In addition to offering a number of different certificates with varying levels of trust, PKIs form different topologies of trust. Here we will examine the most simple of these models, a single CA (see Figure 14-5).

Figure 14-5 Single-Root CA

Central

Simple (Single-Root) PKI:

• Certificates Issued by One CA

• Single Point of Failure

• Centralized Trust Decisions

Central

Simple (Single-Root) PKI:

• Certificates Issued by One CA

• Single Point of Failure

• Centralized Trust Decisions

Matthew

Abby

Matthew

Abby

End Users

This topology is often called a root CA. This single CA is responsible for issuing all the certificates to the end users. The initial attraction of this PKI topology is its simplicity; however, it also has a number of pitfalls:

■ It is difficult to scale this topology to a large environment.

■ This topology needs a strictly centralized administration.

■ There is a critical vulnerability in using a single signing private key. If it is stolen, the whole PKI falls apart, because the CA can no longer be trusted as a unique signer.

This form of topology may be used to support VPNs. In some cases, this topology may be used when there is not a greater need beyond the VPN for the PKI.

0 0

Post a comment