General discussion

Locked

Certificates

By fshohan ·
Why is it advisable to have a stand-alone computer for a RA?

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by secureplay In reply to Certificates

The "weakest link" (well, one of the weakest links) in a Public Key System is the initial registration process. It is important to remember that the basic model in a public key system is to trust anyone with a certificate. You need to actively "key out" bad guys with CRL (certificate revocation lists) or CKLs (compromised key lists). Thus, instead of an ongoing key distribution problem, you have an ongoing CRL/CKL distribution problem.. making sure everyone has an updated list of no-longer-good guys.

So, because a Registration Authority is the main way to create new, valid users, it is an obvious target for attack. Also, for public key systems, the real question is "what is a valid user? ... that is what an RA answers. An RA could be online if it can somehow ensure the integrity of the data/registration validation provided to it - but this is the question that the RA is usually answering.

A non-standard PKI architecture could certainly have an online RA, but the typical model where trust is established through the registration process doesn't work.

Steven Davis
http://www.secureplay.com/ corporate
http://www.playnoevil.com/ blog

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums