One of the main issues solved by PKI is the scalability of the key exchange. Keys can now be exchanged almost automatically and for many more users than in the past. The second problem was key compromise. Using manual key exchange did not solve this problem. When a private key has been compromised, all other entities must be notified that they can no longer trust that key. Although it is a difficult task, removal of the compromised entity's public key from all other entities does the job.
PKI offers a solution to the problem of key compromisecertificate revocation lists (CRLs). CRLs contain all certificates that are no longer valid. It is the end user's duty to check for a fresh CRL after the old one has expired and to compare any certificate with the most recently updated list. A certificate can be placed on a CRL for many reasons, including the following:
The private key is compromised.
The contract is terminated.
The private key is lost.
A VPN router is replaced.
A certificate can be placed on a CRL by following these steps:
Step 1. | The certificate is no longer valid. |
Step 2. | The CA administrator is contacted and requested to revoke the certificate. The administrator may require additional authentication. |
Step 3. | The CA administrator places the certificate on the CRL. |
Step 4. | A new CRL is published. |
Step 5. | End users check the CA for a new CRL after their old CRL has expired. |
The conditions necessary for placing a certificate on the CRL make it clear that there is a weak point in this approach. First of all, a long time can elapse between the compromise of a certificate and the detection of the compromise. In addition, all end users refresh their CRLs after the previous CRL has expired, and the refreshing process usually takes several hours. If you ever have any doubt about the authenticity of a site, you can check to see if its certificate is still valid. For example, the Cisco Press website uses certificates. If you navigate to a secure page, click the
File menu in Internet Explorer, and then click
Properties , you see the dialog box shown in Figure 13-7.
To view the certificate, click the
Certificates button. The result of this action is shown in Figure 13-8.
In Figure 13-8, you can see the name of the CA. In this case, it is the Secure Server Certification Authority, which is VeriSign's CA name. To view the details of this certificate, click the Details tab.
Figure 13-9 shows all the details available for the certificate, such as the version, serial number, and issuer.
To check that this certificate is still valid, copy the serial number to the clipboard and go to VeriSign's website:
http://www.verisign.com/repository/.
NOTE
When you submit the serial number on the site, remove the spaces from the number.
Scroll down to the
Certificate Status and Information section and click
Search for and Check the Status of an
SSL
Certificate . On the
Server ID Services page that displays, scroll down to the
Search by Server ID Serial number section shown in Figure 13-10. Paste in the certificate's serial number and click
Search .
The result, shown in Figure 13-11, tells you that the certificate is valid. If it is no longer valid, you see a page stating that no matches were found.
![[View full size image]](/image/library/english/13756_13fig07_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_13fig10_alt.jpg;380136){kind=link}