Basic certificate fields for X.509 version 3 are shown in Table 1. The To Be Signed (TBS) certificate field contains the names of the subject and issuer, a public key associated with the subject, a validity period, and other associated information. It usually includes extensions which hold additional optional information. The subject field identifies the entity associated with the public key stored in the subject public key field. It also distinguishes if a certificate is for an end entity, a CA, or a CRL. The Subject Public Key Info (SPKI) field is used to carry the public key and to identify the algorithm by which the key is used (e.g., RSA, DSA, or Diffie-Hellman).
Certificate Fields
|
Attribute
|
Type
|
|---|---|---|
TBS Certif icate
|
Version
|
V1, v2, v3
|
Certificate Serial Number
|
Integer
| |
Algorithm Id
|
Algorithm Object Id.
| |
Issuer
|
Name
| |
Validity
|
Not before time
| |
Not after time
| ||
Subject
|
Name
| |
Subject Public Key Info
|
Algorithm Id
| |
Bit string
| ||
Issuer Unique Id
|
Bit string
| |
Subject Unique Id
|
Bit string
| |
Extensions
| ||
Signature Algorithm
|
Algorithm Id
| |
Signature Value
|
Bit string
|
The signature algorithm field contains the identifier for the cryptographic algorithm used by the CA to sign the certificate.
The signature value field contains a signature digitally added to the encoded TBS certificate. By generating this signature, a CA certifies the validity of the information in the TBS certificate. To be more specific, the CA certifies the binding between the public key material and the subject of the certificate.
Certificate Revocation List
When a certificate is issued, it is expected to be in use for its entire validity period. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA (e.g., an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key. Under such circumstances, the CA needs to revoke the certificate.
CRL is similar to notices of stolen or lost credit cards reported to other credit companies. The CA periodically issues a signed data structure called a CRL. A CRL is a time-stamped list identifying revoked certificates. The list is signed by a CA or CRL issuer and made freely available in a public certificate and CRL repository. Each revoked certificate is identified in a CRL by its certificate serial number. When a system employing certificates uses a certificate for verifying a remote user’s digital signature, that system not only checks the certificate signature and validity, but also acquires a recent CRL and checks that the certificate serial number is not on that CRL.
2 comments:
Nice and informative article. I was looking for a detailed explanation about public key infrastructure, one of my friend suggested me about your blog. You have provided and excellent detail about it. Thanks a lot.
public key infrastructure
thank you for the post , visit us for
best telephone solution for business
Post a Comment