certificates, trust & pki - courses.cs.washington.edu...february 21, 2006 practical aspects of...
TRANSCRIPT
Cert
ifica
tes,
Tru
st &
PKI
Cert
ifica
tes,
Tru
st &
PKI
Bria
n A.
LaM
acch
iaBr
ian
A. L
aMac
chia
bal@
cs.w
ashi
ngto
n.ed
uba
l@cs
.was
hing
ton.
edu
bal@
mic
roso
ft.co
mba
l@m
icro
soft.
com
Por
tions
© 2
002-
2006
, Bria
n A
. LaM
acch
ia.
Th
is m
ater
ial i
s pr
ovid
ed w
ithou
t war
rant
y of
any
kin
d in
clud
ing,
with
out l
imita
tion,
war
rant
y of
non
-infri
ngem
ent o
r sui
tabi
lity
for a
ny p
urpo
se.
This
mat
eria
l is
not g
uara
ntee
d to
be
erro
r fre
e an
d is
inte
nded
for i
nstru
ctio
nal u
se o
nly.
Cert
ifica
tes
Cert
ifica
tes
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
33
Why
do
I tru
st th
e se
rver
key
?W
hy d
o I t
rust
the
serv
er k
ey?
!!H
ow d
o I k
now
I�m
rea
lly ta
lkin
g to
H
ow d
o I k
now
I�m
rea
lly ta
lkin
g to
A
maz
on.c
omA
maz
on.c
om??
!!W
hat d
efea
ts a
man
Wha
t def
eats
a m
an-- i
nin-- t
hethe --
mid
dle
mid
dle
atta
ck?
atta
ck?
Web
Web
Serv
erSe
rver
Clie
ntC
lient
Mal
let
Mal
let
HTT
P w
ith
HTT
P w
ith
SSL/
TLS
SSL/
TLS
HTT
P w
ith
HTT
P w
ith
SSL/
TLS
SSL/
TLS
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
44
SSL/
TLS
SSL/
TLS
You
(clie
nt)
You
(clie
nt)
Mer
chan
t (se
rver
)M
erch
ant (
serv
er)
Let�s
talk
secu
rely
.H
ere
are
the
prot
ocol
s and
cip
hers
I un
ders
tand
.
Her
e is
a fr
esh
key
encr
ypte
d w
ith y
our k
ey.
I cho
ose
this
pro
toco
l and
cip
hers
.H
ere
is m
y pu
blic
key
and
so
me
othe
r stu
ff th
at w
ill m
ake
you
trust
this
key
is m
ine.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
55
Wha
t�s
the
�som
e ot
her s
tuff
�W
hat�
s th
e �s
ome
othe
r stu
ff�
How
can
we
conv
ince
Alic
e th
at s
ome
key
How
can
we
conv
ince
Alic
e th
at s
ome
key
belo
ngs
to B
ob?
belo
ngs
to B
ob?
!!A
lice
and
Bob
coul
d ha
ve m
et
Alic
e an
d Bo
b co
uld
have
met
pr
evio
usly
& e
xcha
nged
key
s di
rect
ly.
prev
ious
ly &
exc
hang
ed k
eys
dire
ctly
.""
Jeff
Je
ff B
ezos
Bezo
sis
n�t g
oing
to s
hake
han
ds w
ith
isn�
t goi
ng to
sha
ke h
ands
with
ev
eryo
ne h
e�d
like
to s
ell t
o...
ever
yone
he�
d lik
e to
sel
l to.
..!!
Som
eone
Alic
e tr
usts
cou
ld v
ouch
to
Som
eone
Alic
e tr
usts
cou
ld v
ouch
to
her
for
Bob
and
Bob�
s ke
yhe
r fo
r Bo
b an
d Bo
b�s
key
""A
thir
d pa
rty
can
A th
ird
part
y ca
n ce
rtify
cert
ifyBo
b�s
key
in a
Bo
b�s
key
in a
w
ay th
at c
onvi
nces
Alic
e.w
ay th
at c
onvi
nces
Alic
e.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
66
Wha
t is
a ce
rtifi
cate
?W
hat i
s a
cert
ifica
te?
!!A
cer
tific
ate
is a
dig
ital
lyA
cer
tific
ate
is a
dig
ital
ly-- s
igne
d si
gned
st
atem
ent t
hat b
inds
a p
ublic
key
to
stat
emen
t tha
t bin
ds a
pub
lic k
ey to
so
me
iden
tify
ing
info
rmat
ion.
som
e id
enti
fyin
g in
form
atio
n.""
The
sign
er o
f the
cer
tific
ate
is c
alle
d it
s Th
e si
gner
of t
he c
erti
ficat
e is
cal
led
its
issu
er.
issu
er.
""Th
e en
tity
talk
ed a
bout
in th
e ce
rtifi
cate
Th
e en
tity
talk
ed a
bout
in th
e ce
rtifi
cate
is
the
is th
e su
bjec
tsu
bjec
tof
the
cert
ifica
te.
of th
e ce
rtifi
cate
.!!
That
�s a
ll a
cert
ifica
te is
, at t
he 3
0,00
0�
That
�s a
ll a
cert
ifica
te is
, at t
he 3
0,00
0�
leve
l. le
vel.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
77
Cert
ifica
tes
are
Like
Mar
riag
eCe
rtifi
cate
s ar
e Li
ke M
arri
age
By th
e po
wer
ves
ted
in m
e I n
ow d
ecla
re
By th
e po
wer
ves
ted
in m
e I n
ow d
ecla
re
this
text
and
this
bit
stri
ng �
nam
e� a
nd
this
text
and
this
bit
stri
ng �
nam
e� a
nd
�key
.� W
hat R
SA h
as jo
ined
, let
no
�key
.� W
hat R
SA h
as jo
ined
, let
no
man
put
asu
nder
.m
an p
ut a
sund
er.
----Bo
b Bo
b Bl
akle
yBl
akle
y
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
88
Cert
sCe
rts
in th
e �r
eal w
orld
�in
the
�rea
l wor
ld�
!!A
dri
ver�
s lic
ense
is
A d
rive
r�s
licen
se is
likelike
a ce
rtifi
cate
a ce
rtifi
cate
""It
is a
�si
gned
� do
cum
ent (
seal
ed,
It is
a �
sign
ed�
docu
men
t (se
aled
, ta
mpe
rta
mpe
r --re
sist
ant)
resi
stan
t)""
It is
cre
ated
and
sig
ned
by a
n �i
ssui
ng
It is
cre
ated
and
sig
ned
by a
n �i
ssui
ng
auth
orit
y� (t
he W
A D
ept.
of L
icen
sing
)au
thor
ity�
(the
WA
Dep
t. of
Lic
ensi
ng)
""It
bin
ds to
geth
er v
ario
us p
iece
s of
It
bin
ds to
geth
er v
ario
us p
iece
s of
id
enti
fyin
g in
form
atio
nid
enti
fyin
g in
form
atio
n""
Nam
eN
ame
""Li
cens
e nu
mbe
rLi
cens
e nu
mbe
r""
Dri
ving
res
tric
tion
s (m
ust w
ear
Dri
ving
res
tric
tion
s (m
ust w
ear
glas
ses,
etc
.)gl
asse
s, e
tc.)
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
99
Mor
e M
ore
cert
sce
rts
in th
e re
al w
orld
in th
e re
al w
orld
!!M
any
phys
ical
obj
ects
are
like
M
any
phys
ical
obj
ects
are
like
ce
rtifi
cate
s:ce
rtifi
cate
s:""
Any
type
of l
icen
se
Any
type
of l
icen
se ��
vehi
cle
tabs
, ve
hicl
e ta
bs,
rest
aura
nt li
quor
lice
nse,
am
ateu
r ra
dio
rest
aura
nt li
quor
lice
nse,
am
ateu
r ra
dio
licen
se, e
tc.
licen
se, e
tc.
""G
over
nmen
tG
over
nmen
t --is
sued
IDs
(pas
spor
ts, g
reen
is
sued
IDs
(pas
spor
ts, g
reen
ca
rds)
card
s)""
Mem
bers
hip
card
s (e
.g. C
ostc
o, d
isco
unt
Mem
bers
hip
card
s (e
.g. C
ostc
o, d
isco
unt
card
s)ca
rds)
!!A
ll of
thes
e ex
ampl
es b
ind
an id
entit
y A
ll of
thes
e ex
ampl
es b
ind
an id
entit
y an
d ce
rtai
n ri
ghts
, pri
vile
ges
or o
ther
an
d ce
rtai
n ri
ghts
, pri
vile
ges
or o
ther
id
entif
iers
iden
tifie
rs""
�BA
L =
=N
1TJT
� si
gned
FCC
�BA
L =
=N
1TJT
� si
gned
FCC
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1010
Why
do
we
belie
ve w
hat
Why
do
we
belie
ve w
hat
cert
sce
rts
say?
say?
!!In
the
phys
ical
wor
ld, w
hy d
o w
e tr
ust
In th
e ph
ysic
al w
orld
, why
do
we
trus
t th
e st
atem
ents
con
tain
ed o
n a
phys
ical
th
e st
atem
ents
con
tain
ed o
n a
phys
ical
ce
rt?
cert
?""
We
belie
ve it
�s h
ard
to fo
rge
the
cert
We
belie
ve it
�s h
ard
to fo
rge
the
cert
""W
e tr
ust t
he e
ntit
y th
at �
sign
ed�
the
cert
We
trus
t the
ent
ity
that
�si
gned
� th
e ce
rt!!
In th
e di
gita
l wor
ld w
e ne
ed th
ose
In th
e di
gita
l wor
ld w
e ne
ed th
ose
sam
e tw
o pr
oper
ties
sam
e tw
o pr
oper
ties
""W
e ne
ed to
bel
ieve
it�s
har
d to
forg
e th
e W
e ne
ed to
bel
ieve
it�s
har
d to
forg
e th
e di
gita
l sig
natu
re o
n a
sign
ed d
ocum
ent
digi
tal s
igna
ture
on
a si
gned
doc
umen
t""
We
need
to tr
ust t
he is
suer
/sig
ner
not t
o W
e ne
ed to
trus
t the
issu
er/s
igne
r no
t to
lie to
us
lie to
us
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1111
Def
eatin
g M
alle
tD
efea
ting
Mal
let
Bob
can
conv
ince
Alic
e th
at h
is k
ey r
eally
doe
s Bo
b ca
n co
nvin
ce A
lice
that
his
key
rea
lly d
oes
belo
ng to
him
if h
e ca
n al
so s
end
alon
g a
digi
tal
belo
ng to
him
if h
e ca
n al
so s
end
alon
g a
digi
tal
cert
ifica
te A
lice
will
bel
ieve
& tr
ust
cert
ifica
te A
lice
will
bel
ieve
& tr
ust
Bob
Bob
Alic
eA
lice
Let�s
talk
secu
rely
.H
ere
are
the
prot
ocol
s and
cip
hers
I un
ders
tand
.
I cho
ose
this
pro
toco
l and
cip
hers
.H
ere
is m
y pu
blic
key
and
a
certi
ficat
e to
con
vinc
e yo
u th
at th
eke
y re
ally
bel
ongs
to m
e.
Cer
tC
ert
Cer
tC
ert
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1212
Get
ting
a ce
rtifi
cate
Get
ting
a ce
rtifi
cate
!!H
ow d
oes
Bob
get a
cer
tific
ate
for
his
How
doe
s Bo
b ge
t a c
ertif
icat
e fo
r hi
s ke
y?ke
y?!!
He
goes
to a
Cer
tific
ate
Aut
hori
ty (C
A)
He
goes
to a
Cer
tific
ate
Aut
hori
ty (C
A)
that
issu
es c
ertif
icat
es a
nd a
sks
for
that
issu
es c
ertif
icat
es a
nd a
sks
for
one.
..on
e...
!!Th
e CA
Th
e CA
issu
esis
sues
Bob
a ce
rtifi
cate
for
his
Bob
a ce
rtifi
cate
for
his
publ
ic k
ey.
publ
ic k
ey.
""CA
is th
e is
suer
CA is
the
issu
er""
Bob
is th
e su
bjec
tBo
b is
the
subj
ect
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1313
Usi
ng C
ertif
icat
esU
sing
Cer
tific
ates
!!N
ow th
at B
ob h
as a
cer
tific
ate,
is it
N
ow th
at B
ob h
as a
cer
tific
ate,
is it
us
eful
?us
eful
?!!
Alic
e w
ill b
elie
ve B
ob�s
key
bel
ongs
to
Alic
e w
ill b
elie
ve B
ob�s
key
bel
ongs
to
Bob
if A
lice
belie
ves
the
cert
ifica
te
Bob
if A
lice
belie
ves
the
cert
ifica
te
Bob
give
s he
r fo
r hi
s ke
y.Bo
b gi
ves
her
for
his
key.
!!A
lice
will
bel
ieve
Bob
�s k
ey b
elon
gs to
A
lice
will
bel
ieve
Bob
�s k
ey b
elon
gs to
Bo
b if
Alic
e tr
usts
the
issu
er o
f Bob
�s
Bob
if A
lice
trus
ts th
e is
suer
of B
ob�s
ce
rtifi
cate
to m
ake
key
cert
ifica
te to
mak
e ke
y --na
me
bind
ing
nam
e bi
ndin
g st
atem
ents
stat
emen
ts!!
Hav
e w
e m
ade
the
situ
atio
n an
y H
ave
we
mad
e th
e si
tuat
ion
any
bett
er?
bett
er?
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1414
Doe
s A
lice
Trus
t Bob
�s C
A?
Doe
s A
lice
Trus
t Bob
�s C
A?
How
can
we
conv
ince
Alic
e to
trus
t Bob
�s C
A?
How
can
we
conv
ince
Alic
e to
trus
t Bob
�s C
A?
!!A
lice
and
Bob�
s CA
cou
ld h
ave
met
A
lice
and
Bob�
s CA
cou
ld h
ave
met
pr
evio
usly
& e
xcha
nged
key
s di
rect
ly.
prev
ious
ly &
exc
hang
ed k
eys
dire
ctly
.""
Bob�
s CA
isn�
t goi
ng to
sha
ke h
ands
with
Bo
b�s
CA is
n�t g
oing
to s
hake
han
ds w
ith
ever
yone
he�
s ce
rtifi
ed, l
et a
lone
eve
ryon
e ev
eryo
ne h
e�s
cert
ified
, let
alo
ne e
very
one
who
m B
ob w
ants
to ta
lk to
.w
hom
Bob
wan
ts to
talk
to.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1515
Doe
s A
lice
Trus
t Bob
�s C
A?
Doe
s A
lice
Trus
t Bob
�s C
A?
How
can
we
conv
ince
Alic
e to
trus
t Bob
�s C
A?
How
can
we
conv
ince
Alic
e to
trus
t Bob
�s C
A?
!!A
lice
and
Bob�
s CA
cou
ld h
ave
met
A
lice
and
Bob�
s CA
cou
ld h
ave
met
pr
evio
usly
& e
xcha
nged
key
s di
rect
ly.
prev
ious
ly &
exc
hang
ed k
eys
dire
ctly
.""
Bob�
s CA
isn�
t goi
ng to
sha
ke h
ands
with
Bo
b�s
CA is
n�t g
oing
to s
hake
han
ds w
ith
ever
yone
he�
s ce
rtifi
ed, l
et a
lone
eve
ryon
e ev
eryo
ne h
e�s
cert
ified
, let
alo
ne e
very
one
who
m B
ob w
ants
to ta
lk to
.w
hom
Bob
wan
ts to
talk
to.
!!So
meo
ne A
lice
trus
ts c
ould
vou
ch to
her
So
meo
ne A
lice
trus
ts c
ould
vou
ch to
her
fo
r Bo
b�s
CA a
nd B
ob�s
CA
�s k
eyfo
r Bo
b�s
CA a
nd B
ob�s
CA
�s k
ey""
Infin
ite L
oop:
See
Loo
p, In
finite
.In
finite
Loo
p: S
ee L
oop,
Infin
ite.
""A
ctua
lly, i
t�s
just
a b
ound
ed r
ecur
sion
...A
ctua
lly, i
t�s
just
a b
ound
ed r
ecur
sion
...
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1616
Wha
t�s
Alic
e�s
Trus
t Mod
elW
hat�
s A
lice�
s Tr
ust M
odel
!!A
lice
has
to im
plic
itly
trus
t A
lice
has
to im
plic
itly
trus
t so
me
som
ese
t of
set o
f ke
yske
ys""
Onc
e sh
e do
es th
at, t
hose
key
s ca
n O
nce
she
does
that
, tho
se k
eys
can
intr
oduc
e ot
hers
to h
er.
intr
oduc
e ot
hers
to h
er.
!!In
the
mod
el u
sed
by S
SL/T
LS,
In th
e m
odel
use
d by
SSL
/TLS
, CA
sCA
sar
e ar
e ar
rang
ed in
a h
iera
rchy
arra
nged
in a
hie
rarc
hy""
Alic
e, a
nd e
very
one
else
, tru
sts
one
or
Alic
e, a
nd e
very
one
else
, tru
sts
one
or
mor
e �r
oot C
A�
that
live
at t
he to
p of
the
mor
e �r
oot C
A�
that
live
at t
he to
p of
the
tree
tree
!!O
ther
mod
els
wor
k di
ffer
ently
Oth
er m
odel
s w
ork
diff
eren
tly
Publ
ic K
ey In
fras
truc
ture
Publ
ic K
ey In
fras
truc
ture
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1818
Cert
ifica
te A
utho
ritie
sCe
rtifi
cate
Aut
hori
ties
!!A
cer
tific
ate
auth
ority
(CA
) gua
rant
ees
A c
ertif
icat
e au
thor
ity (C
A) g
uara
ntee
s th
e co
nnec
tion
betw
een
a ke
y an
d th
e co
nnec
tion
betw
een
a ke
y an
d an
othe
r CA
or
an �
end
entit
y.�
anot
her
CA o
r an
�en
d en
tity.
� !!
An
end
enti
ty is
:A
n en
d en
tity
is:
""A
per
son
A p
erso
n""
A r
ole
(�VP
of s
ales
�)A
rol
e (�
VP o
f sal
es�)
""A
n or
gani
zati
onA
n or
gani
zati
on""
A p
seud
onym
A p
seud
onym
""A
pie
ce o
f har
dwar
e or
sof
twar
eA
pie
ce o
f har
dwar
e or
sof
twar
e""
An
acco
unt
An
acco
unt
!!So
me
CA�s
onl
y al
low
a s
ubse
t of t
hese
So
me
CA�s
onl
y al
low
a s
ubse
t of t
hese
ty
pes.
type
s.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
1919
CA H
iera
rchi
esCA
Hie
rarc
hies
!!CA
sCA
sca
n ce
rtify
oth
er
can
cert
ify o
ther
CA
sCA
sor
�en
d en
titi
es�
or �
end
enti
ties
�!!
Cert
ifica
tes
are
links
in a
tree
of
Cert
ifica
tes
are
links
in a
tree
of
EEs
EEs
&
& C
As
CAs
CA
EE
Roo
tC
A
CA
EEC
AEE
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2020
BAL�
sBA
L�s
No
No --
Frill
s Fr
ills
Cert
sCe
rts
!!Ce
rtifi
cate
s ca
n co
ntai
n al
l sor
ts o
f Ce
rtifi
cate
s ca
n co
ntai
n al
l sor
ts o
f in
form
atio
n in
side
them
info
rmat
ion
insi
de th
em""
We�
ll ta
lk a
bout
the
deta
ils in
a li
ttle
bit
We�
ll ta
lk a
bout
the
deta
ils in
a li
ttle
bit
!!In
the
abst
ract
, tho
ugh,
they
�re
just
In
the
abst
ract
, tho
ugh,
they
�re
just
st
atem
ents
by
an is
suer
abo
ut a
st
atem
ents
by
an is
suer
abo
ut a
su
bjec
t:su
bjec
t:
Issu
er
Subj
ect
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2121
Doe
s A
lice
trus
t Bob
�s K
ey?
Doe
s A
lice
trus
t Bob
�s K
ey?
!!A
lice
trus
ts B
ob�s
key
if th
ere
is a
A
lice
trus
ts B
ob�s
key
if th
ere
is a
cha
in o
f ch
ain
of
cert
ifica
tes
cert
ifica
tes
from
Bob
�s k
ey to
a r
oot C
A th
at
from
Bob
�s k
ey to
a r
oot C
A th
at
Alic
e im
plic
itly
trus
tsA
lice
impl
icit
ly tr
usts C
AEE
Roo
tC
A
CA EE
Roo
t CA
CA
Roo
t CA
Roo
t CA
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2222
Chai
n Bu
ildin
g &
Val
idat
ion
Chai
n Bu
ildin
g &
Val
idat
ion
!!�� G
iven
an
end
Giv
en a
n en
d --en
tity
cer
tific
ate,
doe
s th
ere
enti
ty c
erti
ficat
e, d
oes
ther
e ex
ist a
cry
ptog
raph
ical
ly v
alid
cha
in o
f ex
ist a
cry
ptog
raph
ical
ly v
alid
cha
in o
f ce
rtifi
cate
s lin
king
it to
a tr
uste
d ro
ot
cert
ifica
tes
linki
ng it
to a
trus
ted
root
ce
rtifi
cate
?�ce
rtifi
cate
?�
CA
EER
oot
CA
CA EE
Roo
t CA
CA
Roo
t CA
Roo
t CA
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2323
Chai
ning
Cer
tific
ates
Chai
ning
Cer
tific
ates
!!In
theo
ry, b
uild
ing
chai
ns o
f In
theo
ry, b
uild
ing
chai
ns o
f ce
rtifi
cate
s sh
ould
be
easy
cert
ifica
tes
shou
ld b
e ea
sy""
�Jus
t lin
k th
em to
geth
er li
ke d
omin
os�
�Jus
t lin
k th
em to
geth
er li
ke d
omin
os�
!!In
pra
ctic
e, it
�s a
lot m
ore
In p
ract
ice,
it�s
a lo
t mor
e co
mpl
icat
ed...
com
plic
ated
...
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2424
Chai
n Bu
ildin
g D
etai
ls (1
)Ch
ain
Build
ing
Det
ails
(1)
CA
2C
A1
EE1
Roo
tC
A
EE2
CA
2
EE3
Roo
t CA
CA
1
Roo
t CA
CA
2
CA
1
EE2
CA
1
EE1
EE3
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2525
Chai
n Bu
ildin
g D
etai
ls (2
)Ch
ain
Build
ing
Det
ails
(2)
CA
2C
A1
EE1
Roo
tC
A1
EE2
EE3
Roo
tC
A2
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2626
Chai
n Bu
ildin
g D
etai
ls (3
)Ch
ain
Build
ing
Det
ails
(3)
CA
2C
A1
EE1
Roo
tC
A1
EE2
EE3
Roo
tC
A2
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2727
Chai
n Bu
ildin
g D
etai
ls (3
)Ch
ain
Build
ing
Det
ails
(3)
CA
2C
A1
EE1
Roo
tC
A1
EE2
EE3
Roo
tC
A2
Brid
geC
A
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2828
Chai
n Bu
ildin
g D
etai
ls (3
)Ch
ain
Build
ing
Det
ails
(3)
CA
2C
A1
EE1
Roo
tC
A1
EE2
EE3
Roo
tC
A2
Brid
geC
A
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
2929
Chai
n Bu
ildin
g D
etai
ls (3
)Ch
ain
Build
ing
Det
ails
(3)
CA
2C
A1
EE1
Roo
tC
A1
EE2
EE3
Roo
tC
A2
Brid
geC
A
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3030
Chai
n Bu
ildin
g D
etai
ls (3
)Ch
ain
Build
ing
Det
ails
(3)
CA
2C
A1
EE1
Roo
tC
A1
EE2
EE3
Roo
tC
A2
Brid
geC
A
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3131
Chai
ning
Cer
tific
ates
Chai
ning
Cer
tific
ates
!!H
ow d
o w
e de
term
ine
whe
ther
two
How
do
we
dete
rmin
e w
heth
er tw
o ce
rtifi
cate
s ch
ain
toge
ther
?ce
rtifi
cate
s ch
ain
toge
ther
?""
You�
d th
ink
this
was
an
easy
pro
blem
...Yo
u�d
thin
k th
is w
as a
n ea
sy p
robl
em...
""Bu
t it�s
act
ually
a q
uest
ion
with
rel
igio
us
But i
t�s a
ctua
lly a
que
stio
n w
ith r
elig
ious
si
gnifi
canc
e in
the
secu
rity
com
mun
itysi
gnifi
canc
e in
the
secu
rity
com
mun
ity""
�Are
you
a b
elie
ver
in
�Are
you
a b
elie
ver
in n
ames
nam
es, o
r in
, o
r in
key
ske
ys?�?�
!!In
ord
er to
und
erst
and
the
schi
sm, w
e In
ord
er to
und
erst
and
the
schi
sm, w
e ne
ed to
dig
ress
for
a bi
t and
talk
ne
ed to
dig
ress
for
a bi
t and
talk
ab
out n
ames
and
som
e hi
stor
yab
out n
ames
and
som
e hi
stor
y
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3232
PKI A
lpha
bet S
oup
PKI A
lpha
bet S
oup
!!X.
509v
3 X.
509v
3 --
stan
dard
con
tent
of a
st
anda
rd c
onte
nt o
f a
cert
ifica
tece
rtifi
cate
!!PK
IX
PKIX
��IE
TF W
orki
ng G
roup
on
PKI
IETF
Wor
king
Gro
up o
n PK
I in
tero
pera
bilit
yin
tero
pera
bilit
y""
PKIX
==
Pub
lic K
ey In
fras
truc
ture
usi
ng
PKIX
==
Pub
lic K
ey In
fras
truc
ture
usi
ng
X.50
9v3
cert
ifica
tes
X.50
9v3
cert
ifica
tes
!!A
SN.1
A
SN.1
--A
bstr
act S
ynta
x N
otat
ion,
A
bstr
act S
ynta
x N
otat
ion,
ex
act d
escr
ipti
on o
f a c
erti
ficat
e ex
act d
escr
ipti
on o
f a c
erti
ficat
e fo
rmat
form
at!!
DER
D
ER --
Dis
tingu
ishe
d En
codi
ng R
ules
, D
istin
guis
hed
Enco
ding
Rul
es,
how
to p
hysi
cally
pac
kage
a c
erti
ficat
eho
w to
phy
sica
lly p
acka
ge a
cer
tific
ate
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3333
The
X.50
0 D
irec
tory
Mod
elTh
e X.
500
Dir
ecto
ry M
odel
!!Th
e m
odel
SSL
/TLS
use
s, th
e X.
509
The
mod
el S
SL/T
LS u
ses,
the
X.50
9 ce
rtifi
cate
mod
el, i
s ba
sed
on n
ames
cert
ifica
te m
odel
, is
base
d on
nam
es""
Nam
es a
s pr
inci
ples
Nam
es a
s pr
inci
ples
!!Sp
ecifi
cally
, X.5
09 is
bas
ed o
n th
e Sp
ecifi
cally
, X.5
09 is
bas
ed o
n th
e X.
500
dire
ctor
y m
odel
X.50
0 di
rect
ory
mod
el!!
X.50
0 de
fined
a g
loba
l, al
lX.
500
defin
ed a
glo
bal,
all --
enco
mpa
ssin
g di
rect
ory,
to b
e ru
n by
en
com
pass
ing
dire
ctor
y, to
be
run
by
the
the
telc
oste
lcos
""O
ne d
irec
tory
to r
ule
them
all,
one
O
ne d
irec
tory
to r
ule
them
all,
one
di
rect
ory
to d
efin
e th
em...
dire
ctor
y to
def
ine
them
...
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3434
X.50
0 D
istin
guis
hed
Nam
esX.
500
Dis
tingu
ishe
d N
ames
!!In
the
X.50
0 m
odel
, eve
ryth
ing
has
a In
the
X.50
0 m
odel
, eve
ryth
ing
has
a si
ngle
, uni
que,
glo
bal,
assi
gned
nam
esi
ngle
, uni
que,
glo
bal,
assi
gned
nam
e""
Ther
e is
a w
orld
wid
e hi
erar
chy,
and
Th
ere
is a
wor
ldw
ide
hier
arch
y, a
nd
you�
re in
it!
you�
re in
it!
Cou
ntry
C=U
S
SP
= O
RS
tate
or P
rovi
nce
SP
= W
A
Loca
lity
L=R
edm
ond
Org
aniz
atio
nO
=Mic
roso
ft
L=Se
attle
O=U
niv.
of W
ashi
ngto
n
SP
= C
A
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3535
DN
sD
Ns
in P
ract
ice
in P
ract
ice
!!N
ame
is u
niqu
e w
ithin
the
scop
e of
N
ame
is u
niqu
e w
ithin
the
scop
e of
th
e CA
�s n
ame
the
CA�s
nam
e!!
Publ
ic
Publ
ic C
As
CAs
(e.g
. (e
.g. V
eris
ign
Veri
sign
) typ
ical
ly s
et) t
ypic
ally
set
""C
= C
A C
ount
ryC
= C
A C
ount
ry""
O =
CA
Nam
eO
= C
A N
ame
""O
U =
Cer
tific
ate
type
/cla
ssO
U =
Cer
tific
ate
type
/cla
ss""
CN =
Use
r na
me
CN =
Use
r na
me
""E=
em
ail a
ddre
ssE=
em
ail a
ddre
ss
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3636
Priv
ate
Priv
ate --
labe
l la
bel D
Ns
DN
s!!
If y
ou o
wn
the
CA, y
ou g
et to
dec
ide
If y
ou o
wn
the
CA, y
ou g
et to
dec
ide
wha
t fie
lds
go in
the
DN
wha
t fie
lds
go in
the
DN
""Re
ally
var
ies
on w
hat t
he s
oftw
are
Real
ly v
arie
s on
wha
t the
sof
twar
e su
ppor
tssu
ppor
ts!!
Can
get r
eally
str
ange
as
peop
le tr
y to
Ca
n ge
t rea
lly s
tran
ge a
s pe
ople
try
to
gues
s va
lues
for
field
s th
at a
re
gues
s va
lues
for
field
s th
at a
re
requ
ired
by
soft
war
ere
quir
ed b
y so
ftw
are
""So
ftw
are
requ
ires
an
OU
, we
don�
t hav
e So
ftw
are
requ
ires
an
OU
, we
don�
t hav
e O
Us
OU
s , s
o I b
ette
r m
ake
som
ethi
ng u
p!, s
o I b
ette
r m
ake
som
ethi
ng u
p!
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3737
DN
sD
Ns
in X
.509
Cer
tific
ates
in X
.509
Cer
tific
ates
!!Th
e X.
509
cert
ifica
te s
tand
ard
bega
n Th
e X.
509
cert
ifica
te s
tand
ard
bega
n as
a w
ay to
ass
ocia
te a
cer
tific
ate
with
as
a w
ay to
ass
ocia
te a
cer
tific
ate
with
a
node
in th
e di
rect
ory.
a no
de in
the
dire
ctor
y.!!
How
is th
e su
bjec
t of a
cer
t ide
ntifi
ed?
How
is th
e su
bjec
t of a
cer
t ide
ntifi
ed?
""By
its
DN
.By
its
DN
.!!
How
is th
e is
suer
of a
cer
t ide
ntifi
ed?
How
is th
e is
suer
of a
cer
t ide
ntifi
ed?
""By
its
DN
.By
its
DN
.!!
How
are
cer
tific
ates
link
ed to
geth
er?
How
are
cer
tific
ates
link
ed to
geth
er?
""By
By
DN
sD
Ns ..
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3838
Key
field
s in
a c
ertif
icat
eKe
y fie
lds
in a
cer
tific
ate
!!Th
e co
re fi
elds
of a
n X.
509
cert
ifica
te
The
core
fiel
ds o
f an
X.50
9 ce
rtifi
cate
ar
ear
e""
The
subj
ect p
ublic
key
The
subj
ect p
ublic
key
""Th
e su
bjec
t Dis
ting
uish
ed N
ame
The
subj
ect D
isti
ngui
shed
Nam
e""
The
issu
er D
isti
ngui
shed
Nam
eTh
e is
suer
Dis
ting
uish
ed N
ame
!!W
hat�
s m
issi
ng h
ere?
Wha
t�s
mis
sing
her
e?
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
3939
Key
field
s in
a c
ertif
icat
eKe
y fie
lds
in a
cer
tific
ate
!!Th
e co
re fi
elds
of a
n X.
509
cert
ifica
te
The
core
fiel
ds o
f an
X.50
9 ce
rtifi
cate
ar
ear
e""
The
subj
ect p
ublic
key
The
subj
ect p
ublic
key
""Th
e su
bjec
t Dis
ting
uish
ed N
ame
The
subj
ect D
isti
ngui
shed
Nam
e""
The
issu
er D
isti
ngui
shed
Nam
eTh
e is
suer
Dis
ting
uish
ed N
ame
!!W
hat�
s m
issi
ng h
ere?
Wha
t�s
mis
sing
her
e?""
The
issu
er�s
pub
lic k
ey is
Th
e is
suer
�s p
ublic
key
is n
otnot
pres
ent i
n pr
esen
t in
the
cert
ifica
te.
the
cert
ifica
te.
""Yo
u ca
n�t v
erify
the
sign
atur
e on
the
cert
Yo
u ca
n�t v
erify
the
sign
atur
e on
the
cert
w
itho
ut fi
ndin
g a
pare
nt c
ert!
wit
hout
find
ing
a pa
rent
cer
t!
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4040
Back
to C
hain
Bui
ldin
gBa
ck to
Cha
in B
uild
ing
!!O
K, a
ssum
e w
e�re
a �
rely
ing
part
y O
K, a
ssum
e w
e�re
a �
rely
ing
part
y ap
plic
atio
n�
appl
icat
ion�
----
som
ethi
ng th
at
som
ethi
ng th
at
rece
ived
an
end
rece
ived
an
end --
enti
ty c
erti
ficat
e an
d en
tity
cer
tific
ate
and
wan
ts to
ver
ify it
.w
ants
to v
erify
it.
""O
ur ta
sk is
to b
uild
a c
ert c
hain
from
that
O
ur ta
sk is
to b
uild
a c
ert c
hain
from
that
en
den
d --en
tity
cer
t to
one
of o
ur tr
uste
d en
tity
cer
t to
one
of o
ur tr
uste
d ro
ots
root
s!!
How
do
we
do th
at?
How
do
we
do th
at?
""W
e st
art w
ith
our
EE c
ert,
and
usin
g th
e W
e st
art w
ith
our
EE c
ert,
and
usin
g th
e in
form
atio
n co
ntai
ned
wit
hin
we
look
for
info
rmat
ion
cont
aine
d w
ithi
n w
e lo
ok fo
r po
ssib
le p
aren
t cer
tific
ates
. po
ssib
le p
aren
t cer
tific
ates
.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4141
Pare
nt
Pare
nt c
erts
cert
s!!
Wha
t�s
a va
lid p
aren
t cer
tific
ate?
Wha
t�s
a va
lid p
aren
t cer
tific
ate?
""In
the
raw
X.5
09 m
odel
, par
ent
In th
e ra
w X
.509
mod
el, p
aren
t --ch
ild
child
re
lati
onsh
ips
are
dete
rmin
ed s
olel
y by
re
lati
onsh
ips
are
dete
rmin
ed s
olel
y by
m
atch
ing
Issu
er D
N in
the
child
to
mat
chin
g Is
suer
DN
in th
e ch
ild to
Su
bjec
t DN
in th
e pa
rent
Subj
ect D
N in
the
pare
nt""
Reca
ll th
at th
ere�
s an
ass
umpt
ion
that
Re
call
that
ther
e�s
an a
ssum
ptio
n th
at
you
have
a b
ig d
irec
tory
han
dy to
find
yo
u ha
ve a
big
dir
ecto
ry h
andy
to fi
nd
cert
sce
rts ..
!!If
you
don
�t h
ave
a di
rect
ory
hand
y,
If y
ou d
on�t
hav
e a
dire
ctor
y ha
ndy,
yo
u ne
ed to
do
the
mat
chin
g yo
urse
lfyo
u ne
ed to
do
the
mat
chin
g yo
urse
lf""
This
is n
ot a
s ea
sy a
s yo
u m
ight
thin
k�Th
is is
not
as
easy
as
you
mig
ht th
ink�
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4242
Nam
e m
atch
ing
Nam
e m
atch
ing
Issu
er N
ame
Subj
ect N
ame
Issu
er N
ame
Subj
ect N
ame
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4343
Mat
chin
g N
ames
Mat
chin
g N
ames
!!H
ow d
o w
e de
term
ine
if tw
o H
ow d
o w
e de
term
ine
if tw
o D
Ns
DN
sm
atch
?m
atch
?""
�Use
dir
ecto
ry n
ame
mat
chin
g ru
les!
��U
se d
irec
tory
nam
e m
atch
ing
rule
s!�
""Tr
y to
be
mild
ly s
mar
t abo
ut it
Try
to b
e m
ildly
sm
art a
bout
it""
Rem
ove
spac
es, c
ase
Rem
ove
spac
es, c
ase --
fold
, etc
.fo
ld, e
tc.
""D
isas
ter�
Dis
aste
r�""
Try
to b
e re
ally
dum
b ab
out i
tTr
y to
be
real
ly d
umb
abou
t it
""Ex
act b
inar
y m
atch
Exac
t bin
ary
mat
ch""
Less
of a
dis
aste
r, bu
t the
re a
re s
till
Less
of a
dis
aste
r, bu
t the
re a
re s
till
prob
lem
s w
e ca
n�t w
ork
arou
nd�
prob
lem
s w
e ca
n�t w
ork
arou
nd�
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4444
Uni
code
Nam
esU
nico
de N
ames
!!A
re th
ese
two
char
acte
r eq
ual?
Are
thes
e tw
o ch
arac
ter
equa
l?éé
éé!!
They
look
equ
alTh
ey lo
ok e
qual
��
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4545
Uni
code
Nam
esU
nico
de N
ames
!!A
re th
ese
two
char
acte
r eq
ual?
Are
thes
e tw
o ch
arac
ter
equa
l?éé
éé!!
They
look
equ
alTh
ey lo
ok e
qual
��!!
��bu
t may
not
be
but m
ay n
ot b
e!!
In U
nico
de, y
ou c
an c
ompo
se c
hara
cter
s, s
o:In
Uni
code
, you
can
com
pose
cha
ract
ers,
so:
""�é
��é
�as
one
cha
ract
eras
one
cha
ract
er""
�é�
�é�
as tw
o ch
arac
ters
as
two
char
acte
rs ��
�� ee��
follo
wed
by
non
follo
wed
by
non --
spac
ing
acce
ntsp
acin
g ac
cent
""�é
��é
�as
two
char
acte
rs
as tw
o ch
arac
ters
��no
nno
n --sp
acin
g ac
cent
sp
acin
g ac
cent
fo
llow
ed b
y fo
llow
ed b
y �� ee
��
!!Ic
kIc
k !!
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4646
Even
Mor
e Ch
ain
Build
ing
Even
Mor
e Ch
ain
Build
ing
!!N
ame
mat
chin
g is
just
the
begi
nnin
g N
ame
mat
chin
g is
just
the
begi
nnin
g of
the
chai
nof
the
chai
n --bu
ildin
g pr
oces
sbu
ildin
g pr
oces
s""
It is
It
is n
eces
sary
nece
ssar
yth
at s
ubje
ct a
nd is
suer
th
at s
ubje
ct a
nd is
suer
DN
sD
Ns
exac
tly
mat
ch fo
r tw
o ex
actl
y m
atch
for
two
cert
sce
rts
to c
hain
, but
to
cha
in, b
ut
not a
lway
s no
t alw
ays
suff
icie
ntsu
ffic
ient
!!Th
e ch
ain
build
ing
proc
ess
is a
lso
The
chai
n bu
ildin
g pr
oces
s is
als
o in
fluen
ced
dyna
mic
ally
by
othe
r in
fluen
ced
dyna
mic
ally
by
othe
r in
form
atio
n co
ntai
ned
with
in th
e in
form
atio
n co
ntai
ned
with
in th
e ce
rts
cert
sth
emse
lves
them
selv
es""
Wha
t oth
er in
form
atio
n is
ther
e in
W
hat o
ther
info
rmat
ion
is th
ere
in c
erts
cert
s ??
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4747
Trus
ted
Root
Cer
tific
ates
Trus
ted
Root
Cer
tific
ates
!!W
ho d
o I t
rust
to b
e ro
ots
at th
e to
p W
ho d
o I t
rust
to b
e ro
ots
at th
e to
p of
the
cert
cha
in?
of th
e ce
rt c
hain
?!!
In th
eory
, �an
yone
you
wan
t�In
theo
ry, �
anyo
ne y
ou w
ant�
!!In
pra
ctic
e, tr
uste
d ro
ots
com
e fr
om
In p
ract
ice,
trus
ted
root
s co
me
from
tw
o so
urce
stw
o so
urce
s""
They
�re
bake
d in
to y
our
web
bro
wse
r or
Th
ey�r
e ba
ked
into
you
r w
eb b
row
ser
or
oper
atin
g sy
stem
oper
atin
g sy
stem
""Th
ey�r
e pu
shed
ont
o yo
ur �
ente
rpri
se
They
�re
push
ed o
nto
your
�en
terp
rise
m
anag
ed d
eskt
op�
man
aged
des
ktop
�
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
4848
Trus
ted
Root
Cer
tific
ates
Trus
ted
Root
Cer
tific
ates
Cert
ifica
te E
xten
sion
sCe
rtifi
cate
Ext
ensi
ons
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5050
Expl
orin
g in
side
an
X.50
9 Ce
rtEx
plor
ing
insi
de a
n X.
509
Cert
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5151
Expl
orin
g in
side
an
X.50
9 Ce
rtEx
plor
ing
insi
de a
n X.
509
Cert
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5252
Expl
orin
g in
side
an
X.50
9 Ce
rtEx
plor
ing
insi
de a
n X.
509
Cert
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5353
Insi
de a
n X.
509v
3 Ce
rtifi
cate
Insi
de a
n X.
509v
3 Ce
rtifi
cate
Ver
sion
Issu
er D
istin
guis
hed
Nam
e
Subj
ect P
ublic
Key
Sign
ing
Alg
orith
m
Val
idity
Per
iod
Subj
ect D
istin
guis
hed
Nam
e
Seria
l Num
ber
Exte
nsio
nsEx
tens
ion
1Ex
tens
ion
2
Exte
nsio
n n
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5454
Cert
ifica
te E
xten
sion
sCe
rtifi
cate
Ext
ensi
ons
!!A
n ex
tens
ion
cons
ists
of t
hree
thin
gs:
An
exte
nsio
n co
nsis
ts o
f thr
ee th
ings
:""
A �
crit
ical
� fla
g (
A �
crit
ical
� fla
g ( b
oole
anbo
olea
n ))""
A ty
pe id
enti
fier
A ty
pe id
enti
fier
""A
val
ue
A v
alue
""
Form
at o
f the
val
ue d
epen
ds o
n th
e Fo
rmat
of t
he v
alue
dep
ends
on
the
type
iden
tifie
rty
pe id
enti
fier
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5555
Cert
ifica
te E
xten
sion
sCe
rtifi
cate
Ext
ensi
ons
Exte
nsio
nsKe
y U
sage
Criti
cal?
Subj
ect K
ey ID
Criti
cal?
Auth
ority
Key
IDCr
itica
l?
CRL
Dist
ribut
ion
Poin
tsCr
itica
l?
Auth
ority
Info
Acc
ess
Criti
cal?
Exte
nded
Key
Usa
geCr
itica
l?
Subj
ect A
lt N
ame
Criti
cal?
Cert
ifica
te P
olic
ies
Criti
cal?
Prop
rieta
ry E
xten
sion
1Cr
itica
l?
Prop
rieta
ry E
xten
sion
nCr
itica
l?
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5656
Criti
cal F
lags
Criti
cal F
lags
!!Th
e �c
ritic
al fl
ag�
on a
n ex
tens
ion
is
The
�cri
tical
flag
� on
an
exte
nsio
n is
us
ed to
pro
tect
the
issu
ing
CA fr
om
used
to p
rote
ct th
e is
suin
g CA
from
as
sum
ptio
ns m
ade
by s
oftw
are
that
as
sum
ptio
ns m
ade
by s
oftw
are
that
do
esn�
t und
erst
and
(impl
emen
t do
esn�
t und
erst
and
(impl
emen
t su
ppor
t for
) a p
arti
cula
r ex
tens
ion
supp
ort f
or) a
par
ticu
lar
exte
nsio
n""
If th
e fla
g is
set
, rel
ying
par
ties
mus
t If
the
flag
is s
et, r
elyi
ng p
arti
es m
ust
proc
ess
the
exte
nsio
n if
they
rec
ogni
ze it
, pr
oces
s th
e ex
tens
ion
if th
ey r
ecog
nize
it,
or r
ejec
t the
cer
tific
ate
or r
ejec
t the
cer
tific
ate
""If
the
flag
is n
ot s
et, t
he e
xten
sion
may
If
the
flag
is n
ot s
et, t
he e
xten
sion
may
be
igno
red
be ig
nore
d
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5757
Criti
cal F
lags
(2)
Criti
cal F
lags
(2)
!!So
me
ques
tions
you
mig
ht b
e as
king
So
me
ques
tions
you
mig
ht b
e as
king
yo
urse
lf ri
ght n
ow...
your
self
righ
t now
...!!
Wha
t doe
s �m
ust p
roce
ss th
e W
hat d
oes
�mus
t pro
cess
the
exte
nsio
n if
they
rec
ogni
ze it
� m
ean?
exte
nsio
n if
they
rec
ogni
ze it
� m
ean?
""W
hat d
oes
�rec
ogni
ze�
mea
n?W
hat d
oes
�rec
ogni
ze�
mea
n?""
Wha
t doe
s �p
roce
ss�
mea
n?W
hat d
oes
�pro
cess
� m
ean?
""Yo
u�ve
got
me.
...Yo
u�ve
got
me.
...""
The
IETF
sta
ndar
ds fo
lks
didn
�t k
now
Th
e IE
TF s
tand
ards
folk
s di
dn�t
kno
w
eith
er...
eith
er...
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5858
Criti
cal F
lags
(3)
Criti
cal F
lags
(3)
!!A
ctua
l def
initi
ons
of fl
ag u
sage
are
A
ctua
l def
initi
ons
of fl
ag u
sage
are
va
gue:
vagu
e:""
X.50
9: N
onX.
509:
Non
-- cri
tica
l ext
ensi
on �
is a
n cr
itic
al e
xten
sion
�is
an
advi
sory
fiel
d an
d do
es n
ot im
ply
that
ad
viso
ry fi
eld
and
does
not
impl
y th
at
usag
e of
the
key
is r
estr
icte
d to
the
usag
e of
the
key
is r
estr
icte
d to
the
purp
ose
indi
cate
d�pu
rpos
e in
dica
ted�
""PK
IX: �
CA�s
are
req
uire
d to
sup
port
PK
IX: �
CA�s
are
req
uire
d to
sup
port
co
nstr
ain
exte
nsio
ns�
but �
supp
ort�
is
cons
trai
n ex
tens
ions
� bu
t �su
ppor
t� is
ne
ver
defin
ed.
neve
r de
fined
.""
S/M
IME:
Impl
emen
tati
ons
shou
ld
S/M
IME:
Impl
emen
tati
ons
shou
ld
�cor
rect
ly h
andl
e� c
erta
in e
xten
sion
s�c
orre
ctly
han
dle�
cer
tain
ext
ensi
ons
""Ve
risi
gnVe
risi
gn: �
All
pers
ons
shal
l pro
cess
the
: �A
ll pe
rson
s sh
all p
roce
ss th
e ex
tens
ion.
..or
else
igno
re th
e ex
tens
ion�
exte
nsio
n...o
r el
se ig
nore
the
exte
nsio
n�
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
5959
Type
s of
Ext
ensi
ons
Type
s of
Ext
ensi
ons
!!Th
ere
are
two
flavo
rs o
f ext
ensi
ons
Ther
e ar
e tw
o fla
vors
of e
xten
sion
s""
Usa
ge/i
nfor
mat
iona
l ext
ensi
ons,
whi
ch
Usa
ge/i
nfor
mat
iona
l ext
ensi
ons,
whi
ch
prov
ide
addi
tion
al in
fo a
bout
the
subj
ect
prov
ide
addi
tion
al in
fo a
bout
the
subj
ect
of th
e ce
rtifi
cate
of th
e ce
rtifi
cate
""Co
nstr
aint
ext
ensi
ons,
whi
ch p
lace
Co
nstr
aint
ext
ensi
ons,
whi
ch p
lace
re
stri
ctio
ns o
n on
e or
mor
e of
:re
stri
ctio
ns o
n on
e or
mor
e of
:""
Use
of t
he c
erti
ficat
eU
se o
f the
cer
tific
ate
""Th
e us
er o
f the
cer
tific
ate
The
user
of t
he c
erti
ficat
e""
The
keys
ass
ocia
ted
wit
h th
e ce
rtifi
cate
The
keys
ass
ocia
ted
wit
h th
e ce
rtifi
cate
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6060
Som
e co
mm
on e
xten
sion
sSo
me
com
mon
ext
ensi
ons
!!Ke
y U
sage
Key
Usa
ge""
digi
talS
igna
ture
digi
talS
igna
ture
""�S
ign
thin
gs th
at d
on�t
look
like
�S
ign
thin
gs th
at d
on�t
look
like
cer
tsce
rts ��
""ke
yEnc
iphe
rmen
tke
yEnc
iphe
rmen
t""
Exch
ange
enc
rypt
ed s
essi
on k
eys
Exch
ange
enc
rypt
ed s
essi
on k
eys
""ke
yAgr
eem
ent
keyA
gree
men
t""
Diff
ieD
iffie
-- Hel
lman
Hel
lman
""ke
yCer
tSig
n/ke
yCRL
Sign
keyC
ertS
ign/
keyC
RLSi
gn""
�Sig
n th
ings
that
look
like
�S
ign
thin
gs th
at lo
ok li
ke c
erts
cert
s ��""
nonR
epid
iati
onno
nRep
idia
tion
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6161
Non
Repu
diat
ion
Non
Repu
diat
ion
!!Th
e Th
e no
nRep
udia
tion
nonR
epud
iatio
nbi
t is
the
blac
k bi
t is
the
blac
k ho
le o
f PKI
Xho
le o
f PKI
X""
It a
bsor
bs in
finit
e am
ount
s of
arg
umen
t It
abs
orbs
infin
ite
amou
nts
of a
rgum
ent
tim
e on
the
mai
ling
list w
itho
ut m
akin
g ti
me
on th
e m
ailin
g lis
t wit
hout
mak
ing
any
prog
ress
tow
ard
unde
rsta
ndin
g w
hat
any
prog
ress
tow
ard
unde
rsta
ndin
g w
hat
it m
eans
it m
eans
""W
hat d
oes
it m
ean?
How
do
you
enfo
rce
Wha
t doe
s it
mea
n? H
ow d
o yo
u en
forc
e th
at?
that
?""
No
one
know
s...
No
one
know
s...
!!�� N
onre
pudi
atio
nN
onre
pudi
atio
nis
any
thin
g w
hich
is
any
thin
g w
hich
fa
ils to
go
away
whe
n yo
u st
op
fails
to g
o aw
ay w
hen
you
stop
be
lievi
ng in
it�
belie
ving
in it
�
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6262
Mor
e Ex
tens
ions
Mor
e Ex
tens
ions
!!Su
bjec
t Key
IDSu
bjec
t Key
ID""
Shor
t ide
ntifi
er fo
r th
e su
bjec
t pub
lic k
eySh
ort i
dent
ifier
for
the
subj
ect p
ublic
key
!!A
utho
rity
Key
IDA
utho
rity
Key
ID""
Shor
t ide
ntifi
er fo
r th
e is
suer
�s p
ublic
key
Sh
ort i
dent
ifier
for
the
issu
er�s
pub
lic k
ey
��us
eful
for
loca
ting
pos
sibl
e pa
rent
us
eful
for
loca
ting
pos
sibl
e pa
rent
cer
tsce
rts
!!CR
L D
istr
ibut
ion
Poin
tsCR
L D
istr
ibut
ion
Poin
ts""
List
of U
RLs
poin
ting
to r
evoc
atio
n Li
st o
f URL
s po
inti
ng to
rev
ocat
ion
info
rmat
ion
serv
ers
info
rmat
ion
serv
ers
!!A
utho
rity
Info
Acc
ess
Aut
hori
ty In
fo A
cces
s""
Poin
ter
to is
suer
cer
t pub
licat
ion
loca
tion
Poin
ter
to is
suer
cer
t pub
licat
ion
loca
tion
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6363
Even
Mor
e Ex
tens
ions
Even
Mor
e Ex
tens
ions
!!Ba
sic
cons
trai
nts
Basi
c co
nstr
aint
s""
Is th
e ce
rt a
CA
cer
t?�
Is th
e ce
rt a
CA
cer
t?�
""Li
mit
s on
pat
h le
ngth
ben
eath
this
cer
tLi
mit
s on
pat
h le
ngth
ben
eath
this
cer
t!!
Nam
e co
nstr
aint
sN
ame
cons
trai
nts
""Li
mit
s on
type
s of
Li
mit
s on
type
s of
cer
tsce
rts
this
key
can
issu
eth
is k
ey c
an is
sue
!!Po
licy
map
ping
sPo
licy
map
ping
s""
Conv
ert o
ne p
olic
y ID
into
ano
ther
Conv
ert o
ne p
olic
y ID
into
ano
ther
!!Po
licy
cons
trai
nts
Polic
y co
nstr
aint
s""
Ant
iA
nti --
mat
ter
for
polic
y m
appi
ngs
mat
ter
for
polic
y m
appi
ngs
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6464
Still
Mor
e Ex
tens
ions
Still
Mor
e Ex
tens
ions
!!Ex
tend
ed K
ey U
sage
Exte
nded
Key
Usa
ge""
Beca
use
Key
Usa
ge w
asn�
t con
fusi
ng
Beca
use
Key
Usa
ge w
asn�
t con
fusi
ng
enou
gh!
enou
gh!
!!Pr
ivat
e Ke
y U
sage
Per
iod
Priv
ate
Key
Usa
ge P
erio
d""
CA a
ttem
pt to
lim
it k
ey v
alid
ity
peri
odCA
att
empt
to li
mit
key
val
idit
y pe
riod
!!Su
bjec
t Alte
rnat
ive
nam
esSu
bjec
t Alte
rnat
ive
nam
es""
Ever
ythi
ng w
hich
doe
sn�t
fit i
n a
DN
Ever
ythi
ng w
hich
doe
sn�t
fit i
n a
DN
""RF
C822
nam
es, D
NS
nam
es,
RFC8
22 n
ames
, DN
S na
mes
, URI
sU
RIs
""IP
add
ress
es, X
.400
nam
es, E
DI,
etc.
IP a
ddre
sses
, X.4
00 n
ames
, ED
I, et
c.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6565
Yet S
till M
ore
Exte
nsio
nsYe
t Stil
l Mor
e Ex
tens
ions
!!Ce
rtifi
cate
pol
icie
sCe
rtifi
cate
pol
icie
s""
Info
rmat
ion
iden
tify
ing
the
CA p
olic
y In
form
atio
n id
enti
fyin
g th
e CA
pol
icy
that
was
in e
ffec
t whe
n th
e ce
rt w
as
that
was
in e
ffec
t whe
n th
e ce
rt w
as
issu
edis
sued
""Po
licy
iden
tifie
rPo
licy
iden
tifie
r""
Polic
y qu
alifi
erPo
licy
qual
ifier
""Ex
plic
it te
xtEx
plic
it te
xt""
Has
h re
fere
nce
(has
h +
URI
) to
a H
ash
refe
renc
e (h
ash
+ U
RI) t
o a
docu
men
tdo
cum
ent
!!X.
509
defe
rs c
ert s
eman
tics
to th
e CA
�s
X.50
9 de
fers
cer
t sem
antic
s to
the
CA�s
is
suin
g po
licy
issu
ing
polic
y!!
Mos
t CA
pol
icie
s di
scla
im li
abili
tyM
ost C
A p
olic
ies
disc
laim
liab
ility
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6666
Exte
nsio
ns a
nd C
hain
Bui
ldin
g Ex
tens
ions
and
Cha
in B
uild
ing
!!W
hen
you
build
a c
ert c
hain
, you
sta
rt
Whe
n yo
u bu
ild a
cer
t cha
in, y
ou s
tart
w
ith th
e EE
cer
t and
dis
cove
r po
ssib
le
with
the
EE c
ert a
nd d
isco
ver
poss
ible
pa
rent
cer
tific
ates
by
mat
chin
g pa
rent
cer
tific
ates
by
mat
chin
g D
Ns
DN
s""
�Bui
ld th
e ch
ain
from
the
bott
om u
p.�
�Bui
ld th
e ch
ain
from
the
bott
om u
p.�
!!H
owev
er, t
o ve
rify
a c
ert c
hain
, you
H
owev
er, t
o ve
rify
a c
ert c
hain
, you
ha
ve to
sta
rt a
nd th
e ro
ot a
nd
have
to s
tart
and
the
root
and
in
terp
ret a
ll th
e ex
tens
ions
that
may
in
terp
ret a
ll th
e ex
tens
ions
that
may
co
nstr
ain
subo
rdin
ate
cons
trai
n su
bord
inat
e CA
sCA
s(a
nd
(and
EEsEEs ))
""�B
uild
the
chai
n fr
om th
e to
p do
wn.
��B
uild
the
chai
n fr
om th
e to
p do
wn.
�
Cert
ifica
te L
ifecy
cle
Cert
ifica
te L
ifecy
cle
Man
agem
ent
Man
agem
ent
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6868
Life
cycl
e M
anag
emen
tLi
fecy
cle
Man
agem
ent
!!Ce
rtifi
cate
Enr
ollm
ent
Cert
ifica
te E
nrol
lmen
t""
Init
ial a
cqui
siti
on o
f a c
erti
ficat
e ba
sed
Init
ial a
cqui
siti
on o
f a c
erti
ficat
e ba
sed
on o
ther
aut
hent
icat
ion
info
rmat
ion
on o
ther
aut
hent
icat
ion
info
rmat
ion
!!Re
new
alRe
new
al""
Acq
uiri
ng a
new
cer
tific
ate
for
a ke
y A
cqui
ring
a n
ew c
erti
ficat
e fo
r a
key
whe
n th
e ex
isti
ng c
erti
ficat
e ex
pire
sw
hen
the
exis
ting
cer
tific
ate
expi
res
!!Re
voca
tion
Revo
catio
n""
�Und
oing
� a
cert
ifica
te�U
ndoi
ng�
a ce
rtifi
cate
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
6969
Cert
ifica
te E
nrol
lmen
tCe
rtifi
cate
Enr
ollm
ent
!!En
rollm
ent
Enro
llmen
tis
the
proc
ess
of o
btai
ning
is
the
proc
ess
of o
btai
ning
a
cert
ifica
te fr
om a
CA
.a
cert
ifica
te fr
om a
CA
.1.1.
Alic
e ge
nera
tes
a ke
y pa
ir, c
reat
es a
A
lice
gene
rate
s a
key
pair
, cre
ates
a
mes
sage
con
tain
ing
a co
py o
f the
m
essa
ge c
onta
inin
g a
copy
of t
he
publ
ic k
ey a
nd h
er id
enti
fyin
g pu
blic
key
and
her
iden
tify
ing
info
rmat
ion,
and
sig
ns th
e m
essa
ge
info
rmat
ion,
and
sig
ns th
e m
essa
ge
with
the
priv
ate
key
(PKC
S#10
).w
ith th
e pr
ivat
e ke
y (P
KCS#
10).
""Si
gnin
g th
e m
essa
ge p
rovi
ded
�pro
ofSi
gnin
g th
e m
essa
ge p
rovi
ded
�pro
of-- o
fof--
poss
essi
on�
(PO
P) o
f the
pri
vate
key
as
poss
essi
on�
(PO
P) o
f the
pri
vate
key
as
wel
l as
mes
sage
inte
grit
yw
ell a
s m
essa
ge in
tegr
ity
2.2.CA
ver
ifies
Alic
e�s
sign
atur
e on
the
CA v
erifi
es A
lice�
s si
gnat
ure
on th
e m
essa
gem
essa
ge
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7070
Cert
ifica
te E
nrol
lmen
t (2)
Cert
ifica
te E
nrol
lmen
t (2)
3.3.(O
ptio
nal)
CA v
erifi
es A
lice�
s ID
(O
ptio
nal)
CA v
erifi
es A
lice�
s ID
th
roug
h ou
tth
roug
h ou
t --ofof
-- ban
d m
eans
.ba
nd m
eans
.4.4.
CA c
reat
es a
cer
tific
ate
cont
aini
ng th
e CA
cre
ates
a c
ertif
icat
e co
ntai
ning
the
ID a
nd p
ublic
key
, and
sig
ns it
with
the
ID a
nd p
ublic
key
, and
sig
ns it
with
the
CA�s
ow
n ke
yCA
�s o
wn
key
""CA
has
cer
tifie
d th
e bi
ndin
g be
twee
n ke
y CA
has
cer
tifie
d th
e bi
ndin
g be
twee
n ke
y an
d ID
and
ID5.5.
Alic
e ve
rifie
s th
e ke
y, ID
& C
A
Alic
e ve
rifie
s th
e ke
y, ID
& C
A
sign
atur
esi
gnat
ure
6.6.A
lice
and/
or th
e CA
pub
lish
the
Alic
e an
d/or
the
CA p
ublis
h th
e ce
rtifi
cate
cert
ifica
te
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7171
Dire
ctor
yD
irect
ory
Cer
tC
ert
Clie
ntC
lient
CA
CA
Cer
tific
ate
Req
uest
Cer
tific
ate
Req
uest
and
Inst
alla
tion
and
Inst
alla
tion
Publ
ish
Cer
tific
ate?
Publ
ish
Cer
tific
ate?
Cert
ifica
te E
nrol
lmen
t Flo
wCe
rtifi
cate
Enr
ollm
ent F
low
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7272
Mor
e PK
I Alp
habe
t Sou
pM
ore
PKI A
lpha
bet S
oup
!!PK
CS #
10
PKCS
#10
��(o
ld) s
tand
ard
mes
sage
form
at
(old
) sta
ndar
d m
essa
ge fo
rmat
fo
r ce
rtifi
cate
req
uest
sfo
r ce
rtifi
cate
req
uest
s!!
PKCS
#7
PKCS
#7
��(o
ld) s
tand
ard
mes
sage
form
at
(old
) sta
ndar
d m
essa
ge fo
rmat
fo
r en
cryp
ted/
sign
ed d
ata
for
encr
ypte
d/si
gned
dat
a""
Als
o us
ed fo
r cer
tific
ate
requ
est r
espo
nses
Als
o us
ed fo
r cer
tific
ate
requ
est r
espo
nses
""Re
plac
ed b
y IE
TF C
MS
synt
axRe
plac
ed b
y IE
TF C
MS
synt
ax
!!CM
C CM
C ��
�Cer
tific
ate
Man
agem
ent w
ith
CMS�
�Cer
tific
ate
Man
agem
ent w
ith
CMS�
""Re
plac
emen
t for
PKC
S #1
0/PK
CS#7
in a
Re
plac
emen
t for
PKC
S #1
0/PK
CS#7
in a
ce
rtifi
cate
man
agem
ent c
onte
xtce
rtifi
cate
man
agem
ent c
onte
xt
!!CM
P CM
P ��
�Cer
tific
ate
Man
agem
ent P
roto
cols
��C
erti
ficat
e M
anag
emen
t Pro
toco
ls�
""A
lter
nati
ve to
CM
CA
lter
nati
ve to
CM
C
Revo
catio
nRe
voca
tion
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7474
Expi
ratio
n &
Rev
ocat
ion
Expi
ratio
n &
Rev
ocat
ion
!!Ce
rtifi
cate
s (a
t lea
st, a
ll th
e on
es w
e�re
Ce
rtifi
cate
s (a
t lea
st, a
ll th
e on
es w
e�re
co
ncer
ned
wit
h) c
onta
in e
xplic
it
conc
erne
d w
ith)
con
tain
exp
licit
va
lidity
per
iods
va
lidity
per
iods
���v
alid
from
� &
�v
alid
from
� &
�e
xpir
es o
n��e
xpir
es o
n�""
Expi
rati
on d
ates
hel
p bo
und
the
risk
Ex
pira
tion
dat
es h
elp
boun
d th
e ri
sk
asso
ciat
ed w
ith
issu
ing
a ce
rtifi
cate
asso
ciat
ed w
ith
issu
ing
a ce
rtifi
cate
!!So
met
imes
, tho
ugh,
it b
ecom
es
Som
etim
es, t
houg
h, it
bec
omes
ne
cess
ary
to �
undo
� a
cert
ifica
te w
hile
ne
cess
ary
to �
undo
� a
cert
ifica
te w
hile
it
is s
till
valid
it is
sti
ll va
lid""
Key
com
prom
ise
Key
com
prom
ise
""Ce
rt w
as is
sued
und
er fa
lse
pret
ense
sCe
rt w
as is
sued
und
er fa
lse
pret
ense
s!!
This
is c
alle
d re
voki
ng a
cer
tific
ate
This
is c
alle
d re
voki
ng a
cer
tific
ate
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7575
Stat
us In
fo fo
r Ce
rtifi
cate
sSt
atus
Info
for
Cert
ifica
tes
!!Tw
o st
anda
rds
with
in P
KIX:
Two
stan
dard
s w
ithin
PKI
X:""
X.50
9v2/
PKIX
Par
t 1 C
erti
ficat
e X.
509v
2/PK
IX P
art 1
Cer
tific
ate
Revo
cati
on L
ists
(Re
voca
tion
Lis
ts (
CRLs
CRLs
))""
Onl
ine
Cert
ifica
te S
tatu
s Pr
otoc
ol (O
CSP)
Onl
ine
Cert
ifica
te S
tatu
s Pr
otoc
ol (O
CSP)
!!Bo
th m
etho
ds s
tate
:Bo
th m
etho
ds s
tate
:""
Whe
ther
a c
ert h
as b
een
revo
ked
Whe
ther
a c
ert h
as b
een
revo
ked
""A
�re
voca
tion
cod
e� in
dica
ting
why
the
A
�re
voca
tion
cod
e� in
dica
ting
why
the
ce
rt w
as r
evok
edce
rt w
as r
evok
ed""
The
tim
e at
whi
ch th
e ce
rt w
as r
evok
edTh
e ti
me
at w
hich
the
cert
was
rev
oked
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7676
Cert
ifica
te R
evoc
atio
nCe
rtifi
cate
Rev
ocat
ion
!!A
CA
rev
okes
a c
ertif
icat
e by
pla
cing
A
CA
rev
okes
a c
ertif
icat
e by
pla
cing
th
e ce
rt o
n its
Cer
tific
ate
Revo
catio
n th
e ce
rt o
n its
Cer
tific
ate
Revo
catio
n Li
st (C
RL)
List
(CRL
)""
Ever
y CA
issu
es
Ever
y CA
issu
es C
RLs
CRLs
to c
ance
l out
issu
ed
to c
ance
l out
issu
ed
cert
sce
rts
""A
CRL
is li
ke a
nti
A C
RL is
like
ant
i --m
atte
r m
atte
r ��
whe
n it
com
es
whe
n it
com
es
into
con
tact
with
a c
erti
ficat
e it
list
s it
in
to c
onta
ct w
ith a
cer
tific
ate
it li
sts
it
canc
els
out t
he c
erti
ficat
eca
ncel
s ou
t the
cer
tific
ate
""Th
ink
�197
0sTh
ink
�197
0s-- s
tyle
cre
dit
styl
e cr
edit
-- car
d bl
ackl
ist�
card
bla
cklis
t�!!
Rely
ing
part
ies
are
expe
cted
to c
heck
Re
lyin
g pa
rtie
s ar
e ex
pect
ed to
che
ck
CRLs
CRLs
befo
re th
ey r
ely
on a
cer
tific
ate
befo
re th
ey r
ely
on a
cer
tific
ate
""�T
he c
ert i
s va
lid u
nles
s yo
u he
ar
�The
cer
t is
valid
unl
ess
you
hear
so
met
hing
telli
ng y
ou o
ther
wis
e�so
met
hing
telli
ng y
ou o
ther
wis
e�
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7777
The
Prob
lem
with
Th
e Pr
oble
m w
ith C
RLs
CRLs
!!Bl
ackl
ists
hav
e nu
mer
ous
prob
lem
sBl
ackl
ists
hav
e nu
mer
ous
prob
lem
s""
Not
issu
ed fr
eque
ntly
eno
ugh
to b
e N
ot is
sued
freq
uent
ly e
noug
h to
be
effe
ctiv
e ag
ains
t a s
erio
us a
ttac
kef
fect
ive
agai
nst a
ser
ious
att
ack
""Ex
pens
ive
to d
istr
ibut
e (s
ize
&
Expe
nsiv
e to
dis
trib
ute
(siz
e &
ba
ndw
idth
)ba
ndw
idth
)""
Vuln
erab
le to
sim
ple
DO
S at
tack
sVu
lner
able
to s
impl
e D
OS
atta
cks
""If
you
blo
ck o
n la
ck o
f CRL
acc
ess,
why
If
you
blo
ck o
n la
ck o
f CRL
acc
ess,
why
ha
ve o
ffha
ve o
ff-- l
ine
supp
ort i
n th
e fir
st p
lace
?lin
e su
ppor
t in
the
first
pla
ce?
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7878
The
Prob
lem
with
Th
e Pr
oble
m w
ith C
RLs
CRLs
(2)
(2)
!!CR
L de
sign
mad
e it
wor
seCR
L de
sign
mad
e it
wor
se""
CLRs
CLRs
can
cont
ain
can
cont
ain
retr
oact
ive
retr
oact
ive
inva
lidit
y in
valid
ity
date
sda
tes
""A
CRL
issu
ed to
day
can
say
a ce
rt w
as
A C
RL is
sued
toda
y ca
n sa
y a
cert
was
in
valid
as
of
inva
lid a
s of
last
wee
kla
st w
eek .
. ""
Chec
king
that
som
ethi
ng w
as v
alid
at
Chec
king
that
som
ethi
ng w
as v
alid
at
time
time
t t w
asn�
t suf
ficie
nt!
was
n�t s
uffic
ient
!""
Back
Back
-- dat
ed
date
d CR
LsCR
Lsca
n ap
pear
at
any
can
appe
ar a
t an
y ti
me
in th
e fu
ture
tim
e in
the
futu
re""
If y
ou r
ely
on
If y
ou r
ely
on c
erts
cert
s&
&
CRL
sCR
Lsyo
u�re
scr
ewed
yo
u�re
scr
ewed
be
caus
e th
e CA
can
cha
nge
the
rule
s ou
t be
caus
e th
e CA
can
cha
nge
the
rule
s ou
t fr
om u
nder
you
late
r.fr
om u
nder
you
late
r.
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
7979
The
Prob
lem
with
Th
e Pr
oble
m w
ith C
RLs
CRLs
(3)
(3)
!!Re
voki
ng a
CA
cer
t is
mor
e pr
oble
mat
ic
Revo
king
a C
A c
ert i
s m
ore
prob
lem
atic
th
an r
evok
ing
an e
ndth
an r
evok
ing
an e
nd-- e
ntit
y ce
rten
tity
cer
t""
Whe
n yo
u re
voke
a C
A c
ert,
you
pote
ntia
lly ta
ke
Whe
n yo
u re
voke
a C
A c
ert,
you
pote
ntia
lly ta
ke
out t
he e
ntir
e su
bord
inat
e st
ruct
ure,
dep
endi
ng
out t
he e
ntir
e su
bord
inat
e st
ruct
ure,
dep
endi
ng
on w
hat c
hain
ing
logi
c yo
u us
eon
wha
t cha
inin
g lo
gic
you
use
!!H
ow d
o yo
u re
voke
a s
elf
How
do
you
revo
ke a
sel
f --si
gned
cer
t?si
gned
cer
t?""
�The
cer
t rev
okes
itse
lf.�
�The
cer
t rev
okes
itse
lf.�
""H
uh?
Huh
?""
Do
I acc
ept t
he C
RL a
s va
lid &
bou
nce
the
cert
?D
o I a
ccep
t the
CRL
as
valid
& b
ounc
e th
e ce
rt?
""D
o I r
ejec
t the
CRL
bec
ause
the
cert
ass
ocia
ted
Do
I rej
ect t
he C
RL b
ecau
se th
e ce
rt a
ssoc
iate
d w
ith th
e CR
L si
gnin
g ke
y w
as re
voke
d?w
ith th
e CR
L si
gnin
g ke
y w
as re
voke
d?
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8080
The
Prob
lem
with
Th
e Pr
oble
m w
ith C
RLs
CRLs
(4)
(4)
!!Yo
u ca
n�t r
evok
e a
CRL
You
can�
t rev
oke
a CR
L""
Onc
e yo
u co
mm
it to
a C
RL, i
t�s
a va
lid
Onc
e yo
u co
mm
it to
a C
RL, i
t�s
a va
lid
stat
e fo
r th
e en
tire
ty o
f its
val
idit
y pe
riod
stat
e fo
r th
e en
tire
ty o
f its
val
idit
y pe
riod
!!W
hat h
appe
ns if
you
hav
e to
upd
ate
Wha
t hap
pens
if y
ou h
ave
to u
pdat
e th
e CR
L w
hile
the
CRL
you
just
issu
ed
the
CRL
whi
le th
e CR
L yo
u ju
st is
sued
is
sti
ll va
lid?
is s
till
valid
?""
You
can
upda
te it
, but
clie
nts
aren
�t
You
can
upda
te it
, but
clie
nts
aren
�t
requ
ired
to fe
tch
it s
ince
the
one
they
re
quir
ed to
fetc
h it
sin
ce th
e on
e th
ey
have
is s
till
valid
!ha
ve is
sti
ll va
lid!
!!Bo
ttom
line
: yik
es!
Bott
om li
ne: y
ikes
!""
We
need
som
ethi
ng e
lse
We
need
som
ethi
ng e
lse
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8181
CRLs
CRLs
vs. O
CSP
Resp
onse
svs
. OCS
P Re
spon
ses
!!A
ggre
gatio
n vs
. Fre
shne
ssA
ggre
gatio
n vs
. Fre
shne
ss""
CRLs
CRLs
com
bine
rev
ocat
ion
info
rmat
ion
for
com
bine
rev
ocat
ion
info
rmat
ion
for
man
y m
any
cert
sce
rts
into
one
long
into
one
long
-- liv
ed o
bjec
tliv
ed o
bjec
t""
OCS
P Re
spon
ses
desi
gned
for
real
OCS
P Re
spon
ses
desi
gned
for
real
-- tim
e tim
e re
spon
ses
to q
ueri
es a
bout
the
stat
us o
f a
resp
onse
s to
que
ries
abo
ut th
e st
atus
of a
si
ngle
cer
tific
ate
sing
le c
erti
ficat
e!!
Both
Bo
th C
RLs
CRLs
& O
CSP
Resp
onse
s ar
e &
OCS
P Re
spon
ses
are
gene
rate
d by
the
issu
ing
CA o
r its
ge
nera
ted
by th
e is
suin
g CA
or
its
desi
gnat
e. (
Gen
eral
ly th
is is
de
sign
ate.
(G
ener
ally
this
is n
otnot
the
the
rely
ing
part
y.)
rely
ing
part
y.)
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8282
Onl
ine
Stat
us C
heck
ing
Onl
ine
Stat
us C
heck
ing
!!O
CSP:
Onl
ine
Cert
ifica
te S
tatu
s Pr
otoc
olO
CSP:
Onl
ine
Cert
ifica
te S
tatu
s Pr
otoc
ol""
A w
ay to
ask
�is
this
cer
tific
ate
good
righ
t now
?A
way
to a
sk �
is th
is c
erti
ficat
e go
od ri
ght n
ow?
""G
et b
ack
a si
gned
resp
onse
from
the
OCS
P G
et b
ack
a si
gned
resp
onse
from
the
OCS
P se
rver
say
ing,
�Ye
s, c
ert C
is g
ood
at ti
me
t�se
rver
say
ing,
�Ye
s, c
ert C
is g
ood
at ti
me
t�""
Resp
onse
is li
ke a
�fr
eshn
ess
cert
ifica
te�
Resp
onse
is li
ke a
�fr
eshn
ess
cert
ifica
te�
!!O
CSP
resp
onse
is li
ke a
sel
ecti
ve C
RLO
CSP
resp
onse
is li
ke a
sel
ecti
ve C
RL""
Clie
nt in
dica
tes
the
Clie
nt in
dica
tes
the
cert
sce
rts
for
whi
ch h
e w
ants
fo
r w
hich
he
wan
ts
stat
us in
form
atio
nst
atus
info
rmat
ion
""O
CSP
resp
onde
r dyn
amic
ally
cre
ates
a
OCS
P re
spon
der d
ynam
ical
ly c
reat
es a
lig
htw
eigh
t CRL
light
wei
ght C
RL-- l
ike
resp
onse
for
thos
e lik
e re
spon
se fo
r th
ose
cert
sce
rts
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8383
OCS
P in
Act
ion
OCS
P in
Act
ion
End-
entit
y
CA
Rel
ying
Part
y
Cer
tC
ert
Cer
tC
ert
Req
uest
Req
uest
OC
SP R
eque
stO
CSP
Req
uest
OC
SPO
CSP
For
For
Cer
tC
ert
OC
SP R
espo
nse
OC
SP R
espo
nse
Tran
sact
ion
Res
pons
eTr
ansa
ctio
n R
espo
nse
Cer
tC
ert
++Tr
ansa
ctio
nTr
ansa
ctio
n
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8484
Fina
l tho
ught
s on
Rev
ocat
ion
Fina
l tho
ught
s on
Rev
ocat
ion
!!Fr
om a
fina
ncia
l sta
ndpo
int,
it�s
the
From
a fi
nanc
ial s
tand
poin
t, it
�s th
e re
voca
tion
data
that
is v
alua
ble,
not
re
voca
tion
data
that
is v
alua
ble,
not
th
e is
sued
cer
tific
ate
itse
lfth
e is
sued
cer
tific
ate
itse
lf""
For
high
For
high
-- val
ued
finan
cial
tran
sact
ions
, va
lued
fina
ncia
l tra
nsac
tion
s,
selle
r w
ants
to k
now
you
r ce
rt is
goo
d se
ller
wan
ts to
kno
w y
our
cert
is g
ood
righ
t now
righ
t now
""Sa
me
situ
atio
n as
with
cre
dit c
ards
, Sa
me
situ
atio
n as
with
cre
dit c
ards
, w
here
the
mer
chan
t wan
ts th
e ca
rd
whe
re th
e m
erch
ant w
ants
the
card
au
thor
ized
rig
ht n
ow a
t the
poi
ntau
thor
ized
rig
ht n
ow a
t the
poi
nt-- o
fof-- s
ale
sale
!!Ca
rd a
utho
riza
tions
tran
sfer
ris
k fr
om
Card
aut
hori
zatio
ns tr
ansf
er r
isk
from
m
erch
ant t
o ba
nk
mer
chan
t to
bank
��th
us th
ey�r
e w
orth
th
us th
ey�r
e w
orth
$$
$$$
$""
Sam
e w
ith
cert
sta
tus
chec
ksSa
me
wit
h ce
rt s
tatu
s ch
ecks
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8585
Usi
ng C
ertif
icat
esU
sing
Cer
tific
ates
!!M
ost c
erti
ficat
e us
es d
o no
t req
uire
any
sor
t M
ost c
erti
ficat
e us
es d
o no
t req
uire
any
sor
t of
dir
ecto
ryof
dir
ecto
ry""
Onl
y ne
eded
to lo
cate
som
eone
els
e�s
cert
ifica
te
Onl
y ne
eded
to lo
cate
som
eone
els
e�s
cert
ifica
te
for
encr
ypti
onfo
r en
cryp
tion
!!A
uthe
ntic
atio
n pr
otoc
ols
have
the
clie
nt
Aut
hent
icat
ion
prot
ocol
s ha
ve th
e cl
ient
pr
esen
t the
ir c
erti
ficat
e (o
r ch
ain)
to th
e pr
esen
t the
ir c
erti
ficat
e (o
r ch
ain)
to th
e se
rver
serv
er""
Ex: S
SL, T
LS, S
mar
t car
d lo
gon
Ex: S
SL, T
LS, S
mar
t car
d lo
gon
""Ru
les
for m
appi
ng a
cer
tific
ate
to u
ser a
ccou
nt
Rule
s fo
r map
ping
a c
ertif
icat
e to
use
r acc
ount
va
ry w
idel
yva
ry w
idel
y""
Cert
fiel
ds, n
ame
form
s, b
inar
y co
mpa
reCe
rt fi
elds
, nam
e fo
rms,
bin
ary
com
pare
!!Si
gnin
g op
erat
ions
em
bed
the
cert
ifica
tes
Sign
ing
oper
atio
ns e
mbe
d th
e ce
rtifi
cate
s w
ith
the
sign
atur
ew
ith
the
sign
atur
e""
How
els
e w
ould
you
kno
w w
ho s
igne
d it
?H
ow e
lse
wou
ld y
ou k
now
who
sig
ned
it?
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8686
Usi
ng C
ertif
icat
es (2
)U
sing
Cer
tific
ates
(2)
!!X.
509
and
PKIX
def
ine
the
basi
c X.
509
and
PKIX
def
ine
the
basi
c st
ruct
ure
of c
erti
ficat
esst
ruct
ure
of c
erti
ficat
es""
If y
ou u
nder
stan
d X.
509,
you
can
par
se
If y
ou u
nder
stan
d X.
509,
you
can
par
se
any
cert
ifica
te y
ou�r
e pr
esen
ted
any
cert
ifica
te y
ou�r
e pr
esen
ted
!!H
owev
er, e
very
pro
toco
l def
ines
a
How
ever
, eve
ry p
roto
col d
efin
es a
ce
rtifi
cate
pro
file
cert
ifica
te p
rofil
efo
r ce
rtifi
cate
use
in
for
cert
ifica
te u
se in
th
at p
arti
cula
r pr
otoc
olth
at p
arti
cula
r pr
otoc
ol""
Ex: T
LS, S
/MIM
E, IP
SEC,
WPA
/WPA
2Ex
: TLS
, S/M
IME,
IPSE
C, W
PA/W
PA2
!!CA
sCA
s /or
gani
zatio
ns d
efin
e pr
ofile
s to
o/o
rgan
izat
ions
def
ine
prof
iles
too
""Ex
: US
Ex: U
S D
oDD
oDCo
mm
on A
cces
s Ca
rd
Com
mon
Acc
ess
Card
cer
tsce
rts
Febr
uary
21,
200
6Fe
brua
ry 2
1, 2
006
Prac
tical
Asp
ects
of M
oder
n Cr
ypto
grap
hyPr
actic
al A
spec
ts o
f Mod
ern
Cryp
togr
aphy
8787
Add
ition
al Im
plem
enta
tion
Add
ition
al Im
plem
enta
tion
Cons
ider
atio
nsCo
nsid
erat
ions
!!Pu
blis
hing
cer
tific
ates
Publ
ishi
ng c
erti
ficat
es""
How
? W
here
? W
hat f
orm
at?
How
? W
here
? W
hat f
orm
at?
!!Ke
y es
crow
/ d
ata
reco
very
for
Key
escr
ow /
dat
a re
cove
ry fo
r en
cryp
tion
keys
/en
cryp
tion
keys
/ cer
tsce
rts
!!A
uto
Aut
o --en
rollm
ent (
user
s &
mac
hine
s)en
rollm
ent (
user
s &
mac
hine
s)!!
Esta
blis
hing
trus
ts /
hie
rarc
hies
Esta
blis
hing
trus
ts /
hie
rarc
hies
!!Pr
otec
ting
pri
vate
key
sPr
otec
ting
pri
vate
key
s!!
Dis
sem
inat
ing
root
cer
tific
ates
Dis
sem
inat
ing
root
cer
tific
ates