SSH Communications Security
Index
SSH Home page
Previous Next Up [Contents] [Index]

    Introduction >>
    Configuration >>
    Connecting >>
    Terminal Window >>
    File Transfer >>
    Toolbar Reference >>
    Menu Reference >>
    Advanced Information >>
        SSH2 Functionality >>
        Public-Key Infrastructure (PKI) >>
            CA
            Certificate Enrollment
            Certificate Revocation
            Directory Services
        Using Certificate Authentication>>
    Troubleshooting >>
    Appendices >>

Certificate Revocation

If a private key of an end entity is compromised or the right to authenticate with a certificate is lost during the certificate's validity period, the certificate has to be revoked, and all PKI users have to be informed about this. Certificate revocation lists (CRL) can be used for this purpose.

A CRL is a time-stamped list identifying the revoked certificates and is signed by a CA. The presence of the signature allows CRLs to be distributed via un-trusted channels in public directories, just like the certificates. Each CA issues CRLs on a regular basis, the issuance period being defined in the CA's security policy. Certificate validation has to include the retrieval of the latest CRL to check the status of the certificate. X.509 v2 CRL is a standard PKIX CRL format.

As the certificate revocation lists are updated on a periodic basis, they don't provide real-time status information for the PKI. If more strict security needs to be followed, online status data has to be provided for relying end entities. In Online Certificate Status Protocol (OCSP) OCSP responders respond to end entities' status requests with signed responses about the revocation status of a certificate. This kind of function is required for example in a PKI where high-value business transactions are digitally signed.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2001 SSH Communications Security Corp
All rights reserved.
Copyright Notice