Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 623 — #649
i
i
i
i
i
i
i
i
26
Security in the Network
These lists are supplied by the CA to public CRL distribution points (CDPs)
at regular intervals. As an option, the CDP can also be named as an exten-
sion in the certificate, so the checker can fetch a current CRL from there for
validation purposes. One way to do this is the online certificate status protocol
(OCSP). The authenticity of the CRLs is ensured by means of the signature
of the issuing CA. Table 26.2 shows the principle underlying an X.509 CRL.
Table 26.2: X.509 Certificate Revocation List (CRL)
Field Content
Version The version of the CRL, e.g., v2.
Signature The ID of the algorithm used to sign the
CRL.
Issuer Unique name (DN) of the publisher of the
CRL (usually the issuing CA).
This Update Time of publication (date, time) of this CRL.
Next Update Time of publication (date, time) of the next
CRL.
List of revoked
certificates
Every entry contains the serial number of
the certificate, the time of revocation, and
optional extensions (CRL entry extensions).
Extensions Optional CRL extensions.
Repository for Certificates and CRLs
To be used, the certificates and CRLs for a CA must be made publicly ac-
cessible. This involves a repository. Because the certificates and CRLs cannot
be forged, thanks to the signature, the repository itself does not need to be
secured in a special way. On the contrary, the aim should be to achieve the
simplest and fastest access possible. For this reason, certificates are often
provided by means of an LDAP or HTTP server. Find explanations about
this in Section 21.8 on page 476. Chapter 22 on page 529 contains informa-
tion about the HTTP server.
623SUSE LINUX Enterprise Server