Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM

641

642

643

644

645

646

647

648

649

650

“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 621 — #647

Security in the Network

Key Authenticity

Because the public key process is in widespread use, there are many public

keys in circulation. Successful use of this system requires that every user

be sure that a public key does indeed belong to the assumed owner. The

assignment of users and public keys will be conﬁrmed by trustworthy in-

stances by means of public key certiﬁcates. Such certiﬁcates contain the

name of the key owner, the corresponding public key, and the electronic

signature of the person issuing the certiﬁcate. Trustworthy instances are

usually part of a certiﬁcation infrastructure that, in addition to issuing and

signing certiﬁcates, is also responsible for the other aspects of certiﬁcate

management. This includes publication, withdrawal and renewal of certiﬁ-

cates. An infrastructure of this kind is generally referred to as a public key

infrastructure or PKI. One familiar PKI is the OpenPGP standard in which

users publish their certiﬁcates themselves without central authorization

points. These certiﬁcates become trustworthy when signed by other parties

in the “web of trust.”

The hierarchically structured X.509 Public Key Infrastructure (PKIX) is an al-

ternative model deﬁned by the IETF (Internet Engineering Task Force that

now acts as an exemplar for almost all publicly-used PKIs. In this model,

authentication is carried out in a hierarchical tree structure by certiﬁca-

tion authorities (CA). The root of the tree is formed by the root CA, which

certiﬁes all sub-CAs or the next level own to the sub-CAs of the lowest

level which issue user certiﬁcates. The user certiﬁcates become trustwor-

thy through certiﬁcation by the next highest sub-CAs, which in turn have

been certiﬁed by the higher levels of the hierarchy. This creates a certiﬁca-

tion path that ends with the root CA.

The security of such a PKI stands and falls with the trustworthiness of the

CA certiﬁcates. To make certiﬁcation practices transparent for PKI cus-

tomers, the PKI operator deﬁnes a certiﬁcation practice statement (CPS) in

which the procedures for certiﬁcate management are deﬁned. This should

ensure that the PKI only issues trustworthy certiﬁcates.

X.509 Certiﬁcates

An X.509 certiﬁcate is a data structure with several ﬁxed ﬁelds and (op-

tional) additional extensions. The ﬁxed ﬁelds mainly contain the name

of the key owner, the public key, and the data relating to the issuing CA

(name and signature). For security reasons, a certiﬁcate should only have a

limited period of validity, so a ﬁeld is also provided for this date. The CA

guarantees the validity of the certiﬁcate in the speciﬁed period. The CPS

usually stipulates that the PKI (in other words, the CA in the ﬁnal analysis)

should create and distribute a new certiﬁcate before validity lapses.

621SUSE LINUX Enterprise Server