Search results
Results from the WOW.Com Content Network
The necessity of consulting a CRL (or other certificate status service) prior to accepting a certificate raises a potential denial-of-service attack against the PKI. If acceptance of a certificate fails in the absence of an available valid CRL, then no operations depending upon certificate acceptance can take place.
The OCSP responder uses the certificate serial number to look up the revocation status of Alice's certificate. The OCSP responder looks in a CA database that Carol maintains. In this scenario, Carol's CA database is the only trusted location where a compromise to Alice's certificate would be recorded.
An attacker with the ability to present a compromised certificate likely also has the ability to prevent the client performing an online revocation status check; in this case, failing-soft effectively provides no protection at all. Browsers have chosen this arm of the dilemma and preferred availability over security. [19]
The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. [1]
Checking Revocation Status: each certificate is checked against Certificate Revocation List (CRL) or online status protocols (such as OCSP) to ensure it has not been revoked. Applying Policies: any additional policies specified by the relying party are applied to ensure the certificate path complies with required security standards and practices.
In public key infrastructure, a validation authority (VA) is an entity that provides a service used to verify the validity or revocation status of a digital certificate per the mechanisms described in the X.509 standard and RFC 5280 (page 69). [1]
Get AOL Mail for FREE! Manage your email like never before with travel, photo & document views. Personalize your inbox with themes & tabs. You've Got Mail!
Without revocation, an attacker would be able to exploit such a compromised or mis-issued certificate until expiry. [15] Hence, revocation is an important part of a public key infrastructure. [16] Revocation is performed by the issuing certificate authority, which produces a cryptographically authenticated statement of revocation. [17]