Manualshelf

A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Advanced Software
51525354555657585960
A.4 CRL Checking
The RSC can optionally check each certificate in the chain for revocation. At least three methods are used:
1. Checking a local copy of the associated CRL
2. Checking a copy of the associated CRL available in an LDAP database
3. Querying a certificate status server using the Online Certificate Status Protocol (OCSP)
The
CRL Distribution Point
attribute of an X.509 certificate is a Uniform Resource Identifier (URI) list that
indicates where the CRL can be located. Likewise, the certificate’s
Authority Information Access
attribute can
contain the URI of an OCSP server. Whichever method is used, the information must be signed by the
certificate’s issuer to verify its authenticity. Otherwise, denial-of-service attacks are possible.
Some of these CRL checks can cause unexpected network traffic. Some CRL-checking mechanisms first try a
local copy of the CRL. If a local CRL is unavailable or out-of-date it will then try the URIs found in the CRL
Distribution Point attribute. OSCP activity can also trigger some network activity. When the RSC checks the
revocation status of the services.isee.hp.com certificate, it may try the following URIs:
http://crl.verisign.com/pca3.crl - URI for the VeriSign Class 3 Public Primary CA CRL
http://SVRSecure-crl.verisign.com/SVRSecure2005.crl - URI for the VeriSign Class 3 Secure Server CA
CRL
http://ocsp.verisign.com - Location of VeriSign’s OCSP server
All of this means that a network manager could see attempts to contact these three systems on TCP port 80
if no HTTP proxy server is used.
If the CRL is not present or accessible, the RSC will assume the certificate is valid.
A.5 Self-Signed Certificates
A self-signed certificate is a certificate that has been signed with its own private key. A CA root certificate
is a self-signed certificate. Unlike CA-issued certificate verification, successful verification using a self-signed
certificate requires a copy of the certificate. Several observations of self-signed certificates are:
The use of self-signed certificates does not scale well. If a group of systems wish to authenticate each
other using self-signed certificates, each system must have a copy of all of the other systems certificates.
Self-signed certificates are administrated just like SSH public keys except that they have an expiration
date.
CRLs do not exist and thus if a self-signed certificate is compromised, each copy must be found and
removed. Note that the same would be true for a CA root certificate.
A.4 CRL Checking 51