词条 | Offline root certificate authority |
释义 |
An offline root certificate authority is a certificate authority (as defined in the X.509 standard and {{IETF RFC|5280}}) which has been isolated from network access, and is often kept in a powered-down state. In a public key infrastructure, the chain of trusted authorities begins with the root certificate authority (root CA). Once the root CA is installed and its root certificate is created, the next action taken by the administrator of the root CA is to issue certificates authorizing intermediate (or subordinate) CAs. This creates the ability to issue, distribute and revoke digital certificates without the direct action of the root CA. Because the consequences of a compromised root CA are so great (up to and including the need to re-issue each and every certificate in the PKI), all root CAs must be kept safe from unauthorized access. A common method to ensure the security and integrity of a root CA is to keep it in an offline state. It is only brought online when needed for specific, infrequent tasks, typically limited to the issuance or re-issuance of certificates authorizing intermediate CAs. A drawback to offline operation is that hosting of a certificate revocation list by the root CA is not possible (as it is unable to respond to CRL requests via protocols such as HTTP, LDAP or OCSP). However, it is possible to move certificate validation functionality into a dedicated validation authority authorized by the offline root CA. To better understand how an offline root CA can greatly improve the security and integrity of a PKI, it is important to realize that a CRL is specific to the CA which issued the certificates on the list. Therefore, each CA (root or intermediate) is only responsible for tracking the revocation of certificates it alone has issued. Consider the scenario where a root CA issues certificates to three intermediate CAs: A, B, and C.
The newly created intermediate CAs then issue their own certificates:
If each intermediate CA were to revoke all certificates issue by it, the maximum size of the CRL specific to each Intermediate CA would be:
However, because the root CA has only issued three certificates (to each of the intermediate CAs), the maximum size of its CRL is:
Therefore, the overall burden of maintaining and hosting a CRL specific to the root CA is minimized by the use of intermediate CAs, as well as the burden of maintaining an associated validation authority. See also{{Portal|Cryptography}}
References{{DEFAULTSORT:Certificate Authority}} 5 : Certificate authorities|Public-key cryptography|Key management|Public key infrastructure|Transport Layer Security |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。