For any certificate issued to a user, it is possible to construct what is known as a certificate chain. User’s certificate refers to the certificate of the center, by which it was issued, while the certificate of the center refers to another certificate of the center that’s above the hierarchy, and so on. This means that you can build a chain of certificates that leads all the way to the certificate of the Root CA, thereby verify all the electronic signatures in this chain. This procedure is mandatory when verifying a certificate before having to use it.
The life-cycle of a certificate consists of the following stages:
- A request is sent to the Certificate Authority to issue a public key certificate and verify the user’s identity.
- A certificate is issued in accordance with the data detailed in the request, and the prevailing certification policy.
- The certificate is distributed among the members of the information system.
- Storage and issuance of the certificate at the request of users and certificate owners.
- The certificate may be suspended or renewed.
- Information in the certificate may be updated along with the pair of keys.
- The certificate may be revoked at the request of its owner, or the regulatory body.
- A certificate may expire, or be reissued if necessary.
The existing PKI currently operates only under the condition that users’ browsers are able to correctly verify
- the chain of certificates;
- their status;
- that cryptographic computations have been implemented properly and operate correctly;
- that confidential key data is not compromised;
- that the set of root certificates on the client side is correct.
So, the Centralized PKI of mass use, particularly when deployed for web resources, have a whole raft of complexities and issues, including:
- The problem of rapid notification of the compromised keys. The setting-up and distribution of a list of revoked certificates can take from several minutes to up to an hour. As a result, there you can never 100% guarantee that a particular key belongs to an identified user at a particular moment in time.
- If certificate checking is carried out online (request to the Certificate Authority), then user’s privacy is violated because the Certificate Authority will see the entire history of user interactions.
- Difficulties in unveiling the presence of certificates from undesirable Root Certificate Authorities. In such cases, a special equipment can be installed, on the route between the client and the server, which decrypts all data seamlessly for the client and the server.
- A number of certificates could be issued in an identical name. In other words, the same identifier could be certified at different Root CAs.
- The process of updating certificates is complex since requires a repeated access to the registration center, changing the data, reissuing the certificate, and then verifying it once again with the Certificate Authority.
- The complexity related to the existence of different standards for electronic signatures, which results in the compatibility problem between users.
- A system center is basically a system’s single point of failure, which can lead to a large number of threats such as compromisation of Root Certificates.
- The centralized PKI implies that identifiers are in the hands of a centralized organization and do not belong to the actual owners.
Post in Russian
Bohdan Skriabin
Cryptographer & analyst