|
Certifying
Authority
Digital
Signature Certificate
Applying
/ Registering for a Digital Certificate
Precautionary
measures for safekeeping of Digital Certificates
Web
Browser Queries
SSL
Certificate Queries
Technology
Certifying Authority
a)What is the role
of Certifying Authority?
A Certifying Authority is a body entrusted to issue, revoke, renew
and provide directories of Digital Certificates. A user's certificate
is issued and signed by a Certifying Authority and acts as a proof
. Anyone trusting the Certifying Authority can also trust the user's
certificate.
According
to section 24 under Information Technology Act 2000 "Certifying
Authority" means a person who has been granted a licence to issue
Digital Signature Certificates.
b) Who can be entitled
to be a Certifying Authority (CA)?
A prospective CA should possess required resources and infrastructure
as specified by IT Act 2000 , get it audited by the auditor appointed
by the office of Controller of Certifying Authorities(CCA), and based
on complete compliance of the requirements, a license to operate as
a Certifying Authority can be obtained. The license is issued by the
Controller of Certifying Authority, Ministry of Information Technology,
Government of India.
c)What is the role
of Registration Authority (RA)?
A Registration Authority (RA) is responsible for initiating the certificate
issuance process after receiving approved application request from
the Local Registration Authority. Revocation requests for Digital
Certificates from subscribers/ authorized representative of the subscriber
are also handled by the RA.
d) What is the role
of Local Registration Authority (LRA)?
An LRA (Local Registration Authority) is an agent of the Certifying
Authority who collects the application forms for Digital Signature
Certificates and related documents, for verification and approval/rejection
of application based on verification.
e) What are Certificate Policies (CP)?
Certificate Policies define the different classes
of certificates issued by the CA, the procedures to issue and revoke,
term of usage of such certificates and among other things the rules
governing the different uses of these certificates.
Digital
Signature Certificate
a) What is a Digital
Signature Certificate?
Digital signature certificates (DSC) are the digital equivalent (that
is electronic format) of physical or paper certificates. Examples
of physical certificates are drivers' licenses, passports or membership
cards. Certificates serve as proof of identity of an individual for
a certain purpose; for example, a driver's license identifies someone
who can legally drive in a particular country. Likewise, a digital
certificate can be presented electronically to prove your identity,
to access information or services on the Internet or to sign certain
documents digitally.
b) Are Public Keys
and Digital Certificates related?
A certificate is an electronic document that binds a public key to
a particular individual or organization. A trusted third party, called
a Certifying Authority (CA), issues certificates. Before issuing a
certificate, a CA will go through a series of authentication procedures
to make sure that you are what you claim to be, and that the public
key in the certificate really belongs to you.
The
certificate is then encrypted (signed) with the CA's private key.
Thus, if the end users trust the CA, and have the CAs public key,
he can be sure of the certificate's legitimacy.
c)
What is the use of Digital Signature Certificate?
Like physical documents are signed manually, electronic documents,
for example e-forms are required to be signed digitally using a Digital
Signature Certificate.
d) Where can Digital
Certificates be used?
You can use Digital Certificate for secure email and web-based transactions,
or to identify other participants of web-based transactions. You can
use Digital Certificate to prove ownership of a domain name and establish
SSL / TLS encrypted secured sessions between your website and the
user for web based transaction. As a developer you can use Digital
Certificate for proving authorship of a code and retain integrity
of the distributed software programs. You can use Digital Certificates
for signing web forms, e-tendering documents, filing income tax returns
etc.
e) How does a Digital
Certificate function ?
Certificates use the Public Key Infrastructure (PKI technology, which
is a sophisticated, mathematically proven method of encrypting and
decrypting information).
Information
can be decrypted only when both a private key and a public key match
each other.
The certificate
contains information about a user's identity (for example, their name,
email address, the date the certificate was issued and the name of
the Certifying Authority that issued it.) The certificate also contains
the public key.
The
private key is stored on the user's computer hard disk or on an external
device such as a smart card. The user retains control of the private
key; it can only be used with the issued password.
Top
Applying
/ Registering for a Digital Certificate:
| a)
What are the different types/ classes of Digital Signature Certificates
and where each is applicable? |
| |
Seven
different classes of Digital Certificate for different applications
and types of users. |
| |
| Class |
Category |
Supported
Applications |
| I |
Individual |
Secure
E-mail |
| IIa |
Individual |
Web
form signing
Client Authentication
Secure E-Mail
Other low Risk Transactions |
| IIb |
Enterprises
/ Government Organizations or Agencies |
Web
form signing
Client Authentication
Secure E-Mail
Other low Risk Transactions |
| IIIa |
Individual |
VPN
User
Code Signing
Web Form Signing
Client Authentication
Secure E-Mail |
| IIIb |
Enterprises
/ Government Organizations or Agencies |
VPN
User
Code Signing
Web Form Signing
Client Authentication
Secured E- mail |
| IIIc |
Individual
/ Enterprises / Government Organizations or Agencies |
SSL
Server Authentication |
| IIId |
Individual
/ Enterprises / Government Organizations or Agencies |
VPN
Device Authentication |
|
| |
|
| b)
What is the validity period of Digital Signature Certificates? |
| |
Digital
Certificates are valid for one year or two years from the date
of issuance. |
| |
|
| c)
Can some one else apply for and use a Digital Signature Certificate
for me or on my behalf? |
| |
An
organization can purchase Digital Certificates for its employees
with the objective of secure and authenticated web communication.
But no one can utilize your Digital Certificate because (only
one) your email address is attached to the Digital Certificate
purchased for you and your Digital Certificate with private
key is stored under your control. Please take care and avoid
giving direct physical access to your important private key. |
| |
|
| d)
What is the reason for rejection of my application for a Digital
Signature Certificate? |
| |
Refusal
to issue a Digital Certificate is a result of stringent verification
procedure. Incomplete application, information or wrong information
are the common causes for such refusal. |
| |
|
| e)
What does "Relying Party" mean? |
| |
Relying
party is an entity that relies on the information provided in
a valid digital signature certificate. |
Top
Precautionary
measures for safekeeping of Digital Certificates:
a) Is it required to
keep a backup copy of my my Digital Signature Certificate?
In case yours hard drive crashes or your Digital Certificate gets
accidentally deleted. If you store a backup copy of your Digital Certificate
on a floppy disk in a secure place, then you will always be able to
re-install your Digital Certificate. If you lose your Digital Certificate
and it is not backed-up, then you will lose any messages that have
been encrypted for you.
b) How can I protect
my Digital Signature Certificate/Private
Key?
Protect your computer from unauthorized access by keeping it physically
secure. Use access control products or operating system protection
features (such as a system password). Take measures to protect your
computer from viruses, because a virus may be able to attack a private
key. Always chose to protect your private key with a good password.
c) What is the format
of Private Key?
Private Keys are not easily viewed simply because they need to remain
secure. They exist for the most part in an encrypted state within
the registry of the Operating System. However, if specified at the
time of key pair generation, it is possible to export a Private Key
as a data file for backup purposes. Like any cryptographic key, Private
Keys are simply long, random numbers.
d) How can private key be protected?
Your private
key is protected in two ways:
1. It is stored on your computer's hard drive so you can control access
to it.
2. When you generate your Digital Certificate's private key at collection
time, the software you use (such as your browser) will probably ask
you for a password. This password protects access to your private
key. For Internet Explorer users, your private key is normally protected
by your Windows password.
A third party
can access your private key only by:
i. having access
to the file your key is stored in (which is usually part of your system's
configuration information) and
ii. Knowing your private password. Some software permits you to choose
to not have a password protect your private key. If you use this option,
then you are trusting that no one, presently or in the future, will
have unauthorized access to your computer.
In general, it is far easier to use a password than to completely
safeguard your computer physically. Not using a password is a bit
like pre-signing all of the cheques in your chequebook and then leaving
it open on your desk.
e)
Can Digital Certificate be recovered after being accidentally deleted
from PC's hard disk drive?
Once your Digital Certificate and key files have been deleted, damaged
or overwritten, there is no way to reactivate your Digital Certificate.
You will first need to revoke your Digital Certificate, and then enroll
for a new one.
f) Can more than one
person store their Digital Certificate on a computer?
Yes. Netscape Communicator is set up to allow multiple people to use
Netscape on the same computer using profiles. Each person uses their
profile to keep their settings, preferences, bookmarks, mail messages
and certificates separate from other users of Netscape on the same
computer.
g) How do I
transfer my Digital Certificate to a new computer?
(Microsoft
Internet Explorer)
The first step for transporting your Digital Certificate is to save
("export") it from the hard drive of the computer where
it is currently held onto a floppy disk or other transport medium.
When
your Digital certificate has been successfully exported, you can then
import it into the new location. To import your Digital Certificate
into Internet Explorer:
1. From the View menu of Explorer, choose "Internet Options..."
2. Select the Content tab.
3. Select Personal from the Certificates list.
4. Click the Import button.
5. Locate your Digital Certificate from the disk and folder in which
it is saved (it should have a .pfx or .p12 extension). Once you have
found it, highlight it and click Open.
6. If prompted, enter the security password used to protect your Digital
Certificate (this is NOT the transport password, but the security
password you use each time you present your Digital Certificate).
You may be prompted to enter this password multiple times (possibly
as many as 20) before it takes.
7. Enter your transport password and click OK.
Top
Web
Browser Queries:
a) I deleted Microsoft Internet Explorer and installed
the latest version. How do I reinstall my Digital Certificate?
If you removed your old copy of Internet Explorer by deleting the
application and its directory, you also deleted your Digital Certificate.
You need to request for a new Digital Certificate
b) I deleted Netscape
Navigator and installed the latest version. How do I reinstall my
Digital Certificate?
If you removed your old copy of Netscape Navigator by deleting your
Netscape directory, you also deleted the file that contained the private
key associated with your Digital Certificate. Without that private
key, you cannot reinstall your Digital Certificate. You need to request
a new Digital Certificate. Upgrading Navigator with the Netscape installer
preserves your personal information, including your Digital Certificate
and private key. In the future, you should use this installer when
upgrading Navigator.
You can
request a Digital Certificate when you register your copy of Navigator,
or you can go directly to the Digital Certificate Center.
c) Can I use my Digital
Certificate with more than one browser or e-mail application (for
example, with Netscape Navigator and Microsoft Internet Explorer)?
Exporting
From Netscape Navigator:
1. Click
on the Security icon (the one that looks like a padlock) from the
main toolbar.
2. Select "Certificates: Personal" from the menu on the
left.
3. Select the Digital Certificate you want to move and click the Export
button.
4. Choose a transport password, which you will be required to present
when importing, and then click OK.
5. Select a disk drive and file name in which to save your Digital
Certificate, then click Save.
Importing
Into Microsoft Internet Explorer:
1. From the View menu of Explorer, choose "Internet Options..."
2. Select the Content tab.
3. Select Personal from the Certificates list.
4. Click the Import button.
5. Insert the disk with your Digital Certificate into your floppy
drive and choose the file name in which your Digital Certificate is
stored (it should end with .pfx), then click Save.
6. Enter your transport password and click OK.
Exporting
Into Microsoft Internet Explorer:
1. From the View menu of Explorer, choose "Internet Options..."
2. Select the Content tab.
3. Select Personal from the Certificates list.
4. Highlight the Digital Certificate you wish to save, and then click
the Export button.
5. Choose a password and a file name for your Digital Certificate.
This new password protects this specific copy of your Digital Certificate--you
will be required to present it when you want to import or open this
copy of your Digital Certificate. Be sure to include a disk and folder
location in the file name, such as a: if you want to save to a floppy
disk. Click OK.
6. If prompted, enter the security password you have always used to
protect your Digital Certificate. There is a bug in some versions
of Internet Explorer 4.0 you may be prompted to enter this password
multiple times (possibly as many as 20) before it takes. Microsoft
is aware of this and is working towards a solution
Import
Into Netscape Navigator:
NOTE: Only the later versions of Navigator 4.0 and up support importing
Digital Certificates
1. Click
on the Security icon (the one that looks like a padlock) from the
main toolbar.
2. Click on "Yours" under "Certificates" from
the menu on the left.
3. Click the Import Certificate button located near the bottom of
the page.
4. If prompted, enter the password used to protect your Digital Certificate
(this is NOT the transport password, but the security password you
use each time you present your Digital Certificate). You may be prompted
to enter this password multiple times before it takes.
5. Locate your Digital Certificate from the disk and folder in which
it is saved (it should have a .pfx or .p12 extension). Once you have
found it, highlight it and click Open.
6. Enter your transport password and click OK. (If your Digital Certificate
shows up as a long series or numbers or letters, it should still work
correctly.).
d) I deleted my old
Microsoft Internet Explorer or Netscape Navigator and installed the
latest version. How do I reinstall my Digital Certificate?
If you removed your copy of Microsoft Internet Explorer or Netscape
Navigator by deleting the application and its directory, you also
deleted the file that contained the private key associated with your
Digital Certificate. Without that private key, you cannot reinstall
your Digital Certificate.
e) [Master Password]
is asked when I am proceeding in the certificate acquisition for Netscape.
Is Challenge Code and Master Password the same?
No, it
is not the same. In Netscape, there is an independent database for
administering the certificates. Master Password is a password for
accessing its database. Please DO NOT forget the password. Otherwise,
you won't be able to backup the certificates in the database.
In Internet
Explorer, OS administer the certificate database, and the password
is the same as your login password.
f) I checked my Digital Certificate, and the following
message appeared :" This certificate is not trusted.". What
does this mean?
Most
of the time, the root certificate which is installed improperly, causes
this to happen. Please follow the instruction below for the resolution.
If you
are using Netscape:
1. Open
up your browser, and on the [Security] menu, click [Signers].
2. Select CA from [Certificate Signers Certificates], and then click
[Edit].
3. Check both [Accept this Certificate Authority for Certifying network
sites] and [Accept this Certificate Authority for Certifying e-mail
users], then click [OK].
If you
are using Internet Explorer:
1. Open
up your browser, and on the [Tools] menu, click [Internet Options].
2. Select [Content] tab, press [Certificates] button, and click [Trusted
Root Certification Authorities] tab.
3. Select CA in the list of root certificate, and click [Advanced...]
button.
4. Make sure [Server Authentication] and [Client Authentication] is
checked.
(It is recommended that other option boxes are also checked.)
Top
SSL
Certificate Queries:
a) What is SSL (secure
socket layer) and how does it work?
Secure
Socket Layer (SSL) is a technology developed by Netscape and adopted
by all vendors producing related Web software. It negotiates and employs
the essential functions of mutual authentication, data encryption,
and data integrity for secure transactions.
This
exchange between the client and server is performed using the Secure
Sockets Layer (SSL). SSL 2.0 supports server authentication only;
SSL 3.0 supports both client and server authentication.
b) I want to utilize
one web server (SSL) certificate for more than one website, can I?
You will not be able to use one certificate on different websites
as the certificate is tied to the exact host and domain name.
c)
What should users verify before trusting an SSL certified website?
Before
trusting any SSL certificate provided website, visitors should verify
given below points: -
The
SSL certificate must have a chain of trust back to a root CA the client
trusts.
The server certificate, and all the CA certificates in the certificate
chain of trust, must have valid signatures. Every certificate is signed
by the next-higher CA, except for a root CA, which signs its own certificate.
The current date and time must be within the validity period of the
server certificate, and of all the CA certificates in the certificate
chain of trust. Every certificate has a validity period (a starting
date and time and an ending date and time when the certificate is
valid for use).
The client must retrieve the CRLs from every CA in the certificate
chain of trust and check to see if the server certificate or one of
the subordinate CAs has been revoked by its next-higher CA.
Top
Technology:
a) What is PKI?
The PKI is a framework of policies, services, and encryption software
that provides the assurances, users need before they can confidently
transmit sensitive information over the Internet and other networks.
At the heart of a PKI is a "Certifying Authority" which
issues to each individual a Digital Certificate linking that particular
person to a known public key.
b) What is cryptography?
Cryptography is the science of using mathematics to encrypt and decrypt
data. Cryptography enables you to store sensitive information or transmit
it across insecure networks (like the Internet) so that it cannot
be read by anyone except the intended recipient. In short, cryptography
is science of securing data
c) What is secret key
cryptography?
Secret-key
cryptography is sometimes referred to as symmetric cryptography. It
is the more traditional form of cryptography, in which a single key
can be used to encrypt and decrypt a message. Secret-key cryptography
not only deals with encryption, but it also deals with authentication.
d) What is Public Key
Cryptography?
Public Key Cryptography is a method for securely exchanging messages,
based on assigning two complimentary keys (one public, one private)
to the individuals involved in a transaction. Public Key Cryptography
is based on the science of encryption, the mathematical scrambling
and unscrambling of messages.
e) What is authentication?
Authentication is the process of verifying a claimed identity. This
includes:
Establishing that a given identity actually exists;
Establishing that a person or organization is the true holder of that
identity;
Enabling identity holders to identify themselves for the purposes
of carrying out a transaction via an electronic medium.
f) What is encryption?
Encryption
is the process of using a mathematical formula and an encryption key
to scramble information so that is unintelligible to unauthorized
persons. Since electronic information is in the form of a series of
ones and zeroes, an encryption process can transform a particular
electronic message into another sequence of ones and zeros that is
uniquely related to the original message.
g) What is decryption?
Decryption is the process of converting the scrambled information
back to its original, plain text form using the same mathematical
formula and a decryption key related to the encryption key so an authorized
person can understand it.
h) What is non-repudiation?
Non-repudiation provides proof of the origin or delivery of data in
order to protect the sender against a false denial by the recipient
that the data has been received or to protect the recipient against
false denial by the sender that the data has been sent.
i) What is Private
Key?
"Private Key" means one of the key of a key pair used to
create a Digital Signature.
j) What is Smart Card?
A plastic card like credit card with a built-in microprocessor and
memory used for identification or financial transactions. When inserted
into a reader, it transfers data to and from a central computer. It
is more secure than a magnetic stripe card and can be programmed to
self-destruct if the wrong password is entered too many times.
Top
k) What is an e-token?
An e-token is a powerful and secure hardware device that enhances
he security of data on public and private networks. The size of a
normal house key, e-token can be used to generate and provide secure
storage for passwords and Digital certificates, for secure authentication,
digital signing and encryption. E-tokens are based on smart card technology
but require no special readers.
l) What is key agreement
protocol?
A key agreement protocol, also called a key exchange protocol, is
a series of steps used when two or more parties need to agree upon
a key to use for a secret-key crypto system. These protocols allow
people to share keys freely and securely over any insecure medium,
without the need for a previously established shared secret.
m) What is a digital
envelope?
The digital envelope consists of a message encrypted using secret-key
cryptography and an encrypted secret key.
n) What is a hash algorithm?
An algorithm that transforms a string of characters into a usually
shorter value of a fixed length or a key that represents the original
value. This is called the hash value. Hash functions are employed
in symmetric and asymmetric encryption systems and are used to calculate
a fingerprint/imprint of a message or document. When hashing a message,
the message is converted into a short bit string - a hash value -
and it impossible to re-establish the original message from the hash
value. A hash value is unique in the sense that two messages cannot
result in the same bit string, and any attempt to make changes to
the message will negate the value and thus the signature.
o) What is digital
time stamping?
A digital time-stamping service issues time-stamps, which associate
a date and time with a digital document in a cryptographically strong
way. The digital time-stamp can be used at a later date to prove that
an electronic document existed at the time stated on its time-stamp.
For example, a physicist who has a brilliant idea can write about
it with a word processor and have the document time-stamped. The time-stamp
and document together can later prove that the scientist deserves
the Nobel Prize, even though an archrival may have been the first
to publish.
p) What are Public
Key Cryptography Standards?
Public
Key Cryptography Standards are a set of standard protocols for the
development of a public key infrastructure (PKI). These standards
include RSA encryption, password-based encryption, extended certificate
syntax, and cryptographic message syntax for the S/MIME secure e-mail
standard. Developed in 1991 by RSA Laboratories with representatives
from various computer vendors, PKCS is today widely deployed in public
key cryptography systems.
PKCS
#1: RSA Cryptography Standard describes a method for encrypting data
by using the RSA public key crypto system. Used in the construction
of digital signatures and digital envelopes.
PKCS
#2: Has been incorporated into PKCS #1.
PKCS
#3: Diffie-Hellman Key Agreement Standard describes a method for implementing
the Diffie-Hellman key agreement. PKCS#3 is used in protocols for
establishing secure communications.
PKCS
#4: Has been incorporated into PKCS #1.
PKCS
#5: Password-based Cryptography Standard Password-based security standard.
PKCS
#6: Extended Certificate Syntax Standard describes a syntax for extended
certificates, consisting of a certificate and a set of attributes,
collectively signed by the issuer of the certificate. This extends
the certification to allow for verification of other information concerning
the entity.
PKCS
#7: Cryptographic Message Syntax Standard specifies a general format
for cryptographic messages.
PKCS
#8: Private Key Information Syntax Standard describes syntax for private
key information. Private Key information includes a private key for
a public key algorithm and a set of attributes. The standard also
describes syntax for encrypted private keys.
PKCS
#9: Selected Attribute Types defines selected attribute types for
use in some of the PKCS standards.
PKCS
#10: Certification Request Syntax Standard specifies a standard syntax
for certificate requests.
PKCS
#11: Cryptographic Token Interface Standard defines a technology-independent
programming interface for cryptographic devices such as smart cards.
PKCS
#12: Personal Information Exchange Syntax Standard specifies a portable
format for storing or transporting a user's private keys, certificates,
miscellaneous secrets etc.
PKCS #13: Elliptic Curve Cryptography Standard under development.
The standard will include many aspects of elliptic key cryptography,
including parameter and key generation/validation, digital signatures,
public key encryption, key agreement, and ASN.1 syntax.
PKCS
#14: Pseudorandom Number Generation Standard under development. The
standard will address many aspects of pseudorandom number generation.
PKCS
#15: Cryptographic Token Information Format Standard for cryptographic
tokens used for identification purposes.
Top
q) What is Cryptographic
Service Provider?
A Cryptographic service provider is responsible for creating keys,
destroying them, and using them to perform a variety of cryptographic
operations. Each cryptographic service provider provide a different
implementation of the crypto API, some provide stronger cryptographic
algorithms, while others contain hardware components, such as smart
cards.
r) What is a Distinguished
Name (DNs)?
A unique identifier of a person or thing having the structure required
by the relevant certificate profile. A distinguished name is assigned
to each key holder, organization or other entity.
s) What is SSL (secure
socket layer)?
Secured
Sockets Layer is a protocol that transmits your communications over
the Internet in an encrypted form. It is designed by Netscape Communications
to enable encrypted, authenticated communications across the Internet.
SSL ensures that the information is sent, unchanged, only to the server
you intended to send it to. Online shopping sites frequently use SSL
technology to safeguard your credit card information.
When
SSL is employed to secure your transaction, the information contained
in your transaction is secretly encoded as it is sent between your
computer and the computer (web server) you have linked to. Note, for
an SSL transaction to work, your browser must be SSL compatible, and
the web server you have linked to must be able to perform the necessary
"key exchange" with your SSL compatible browser.
t) What is MIME?
MIME (Multipurpose Internet Mail Extensions) is a set of specifications
for the interchange of text in languages with different character
sets. MIME is also used to attach multimedia and rich text elements
to e-mail that may be transmitted among different computer systems
using Internet mail standards. The specifications define Content-Types
and other conventions for the formatting of e-mail messages. S/MIME
is a later standard that adds security to e-mail communication by
allowing signing and encryption of messages.
u) What is S/MIME?
A standard that extends the MIME (Multipurpose Internet Mail Extensions)
specifications to support the signing and encryption of e-mail transmitted
across the Internet.
v) What do X.509 and
X.500 mean?
X.509:
- A widely used standard for defining Digital Certificates. X.509
is actually an ITU Recommendation, which means that it has not yet
been officially defined or approved for standardized usage. As a result,
companies have implemented the standard in different ways. For example,
both Netscape and Microsoft use X.509 certificates to implement SSL
in their Web servers and browsers. But an X.509 Certificate generated
by Netscape may not be readable by Microsoft products, and vice versa.
X.500:
- An ISO and ITU standard that define how global directories should
be structured. X.500 directories are hierarchical with different levels
for each category of information, such as country, state, and city.
X.500 supports X.400 systems.
w) What is Certificate
Validation Mechanism?
A certificate validation mechanism is a mechanism, which is used when
a document or transaction is signed using a Digital Certificate, and
which serves as a means of identifying the person who signed since
a certificate vouches for the owner's identity or association with
a particular organization. Hence a certificate validation mechanism
is important to implement to ensure that it has not been revoked or
has not expired.
x) What is Certificate
Validation?
Validation refers to determining the status of a certificate - whether
valid, expired or revoked. All Certificates have a fixed life (say
one year), but there are various reasons for which a certificate may
be invalidated before its due expiry.
y) What is OCSP Validation?
OCSP
refers to certificate validation that occurs through the Online Certificate
Status Protocol mechanism, this type of validation occurs only when
the signer certificate is stamped with an AIA (Authority Information
Access) extension.
OCSP
can be either a replacement or a supplement to checking the validity
of a certificate against a Certificate Revocation List (CRL). Using
OCSP, when a user attempts to access a server, OCSP sends a request
for certificate status information. The server sends back a response
of "current", "expired," or "unknown."
z) What is CAM?
The Certificate Arbitrator Module (CAM) was created to provide validation
services across different vendors of the ACES program. It is an application
level router that efficiently and consistently routes certificates
from relying party programs to the issuing certificate authorities
for validation. By interfacing directly with the CAM, a relying party
application can interact seamlessly with multiple CAs.
Top
|
