Data Protection and Security

   

VIII

Standards and Protocols

    

VIII.II

Public Key Infrastructure

    
   
  X.509 Standard

ITU-T recommendation X.509 is part of the X.500 series that define a directory service. In X.500 framework, PKI is facilitated by a directory; distributed hierarchical database indexed by a hierarchical name, where associated with each name is a repository of information for that name.

The heart of X.509 is the public key certificate associated with each user. Either the user or the CA places the certificate in the directory. The directory server is not interested in the certificate function or who issues it, it only provides an easy access for users to obtain certificates. An X.509 certificate contains the following information:

Version: There are three versions defined, version1 to version 3.
Serial Number: Together with the issuing CA’s name, uniquely identifies the certificate.
SignatureAlgorithmIdentifier: The algorithm used to sign the certificate.
Issuer: The X.500 name of the issuing CA.
Validity: Contains two subfields: the first and the last date the certificate is valid.
Subject: The X.500 name of the user for whom this certificate is issued.
SubjectPublicKeyInfo: The public key of the subject plus an identifier of the algorithm for which this key is to be used together with optional parameters for that algorithm.
Extensions: Added in version 3.
Signature: Contains the signature of all of the other fields.

PKIX is the IETF working group to set up a formal and a generic model based on X.509. In other words, PKIX specifies which X.509 options should be supported on the Internet. The choice of X.509 as the base for the certificate formats is questionable though because it is not flexible enough to satisfy the requirements of many applications.

For example, to specify X.500 names there are rules about what types of name components are allowed to be under what others. This brings problems when an application uses a different form of naming. For instance in SSL, URLs contain DNS names instead of X.500 names. A common workaround to this problem is to demand one portion of the X.500 name to be the DNS name.

Today, there is no widely deployed X.500 directories and most deployed PKIs do not use directories. Only within a company or other closed groups, directories are used to place certificates. Alternative forms of obtaining certificated include emailing certificates (as in S/MIME standard) or sending them as part of the exchange in the protocol (as in SSL).
But, directories are more flexible and useful for example when a user wants to send an encrypted message to another user without first contacting with him/her.


    

VIII.II.II Q

[+] Question

[-] Question

What is the problem of not having the URL address as part of the certificate signed?

    
   
       
 
«previous session [1] [2] [3] next session »
   
       
 
«proceed to previous sectionproceed to next section »
  chapter index