Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Public key infrastructure
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Certificate authorities === {{main|Certificate authority}} The primary role of the CA is to [[digital signature|digitally sign]] and publish the [[public key]] bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. When the CA is a third party separate from the user and the system, then it is called the Registration Authority (RA), which may or may not be separate from the CA.<ref>"Mike Meyers CompTIA Security+ Certification Passport", by T. J. Samuelle, p. 137.</ref> The key-to-user binding is established, depending on the level of assurance the binding has, by software or under human supervision. The term [[trusted third party]] (TTP) may also be used for [[certificate authority]] (CA). Moreover, PKI is itself often used as a synonym for a CA implementation.<ref> {{cite web |url = http://www.businessdictionary.com/definition/Trusted-Third-Party-Services-TTP-Services.html |title = Trusted Third Party Service |date = 4 March 2016 |first = William |last = Henry |access-date = 4 March 2016 |archive-date = 4 March 2016 |archive-url = https://web.archive.org/web/20160304211542/http://www.businessdictionary.com/definition/Trusted-Third-Party-Services-TTP-Services.html |url-status = dead }}</ref> ==== Certificate revocation ==== {{main|Certificate revocation}} A certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker would be able to exploit such a compromised or mis-issued certificate until expiry.{{sfn|Smith|Dickinson|Seamons|2020|p=1}} Hence, revocation is an important part of a public key infrastructure.{{sfn|Sheffer|Saint-Andre|Fossati|2022|loc=7.5. Certificate Revocation}} Revocation is performed by the issuing [[certificate authority]], which produces a [[cryptographically authenticated]] statement of revocation.{{sfn|Chung|Lok|Chandrasekaran|Choffnes|2018|p=3}} For distributing revocation information to clients, timeliness of the discovery of revocation (and hence the window for an attacker to exploit a compromised certificate) trades off against resource usage in querying revocation statuses and privacy concerns.{{sfn|Smith|Dickinson|Seamons|2020|p=10}} If revocation information is unavailable (either due to accident or an attack), clients must decide whether to ''fail-hard'' and treat a certificate as if it is revoked (and so degrade [[availability]]) or to ''fail-soft'' and treat it as unrevoked (and allow attackers to sidestep revocation).{{sfn|Larisch|Choffnes|Levin|Maggs|2017|p=542}} Due to the cost of revocation checks and the availability impact from potentially-unreliable remote services, [[Web browsers]] limit the revocation checks they will perform, and will fail-soft where they do.{{sfn|Smith|Dickinson|Seamons|2020|p=1-2}} [[Certificate revocation lists]] are too bandwidth-costly for routine use, and the [[Online Certificate Status Protocol]] presents connection latency and privacy issues. Other schemes have been proposed but have not yet been successfully deployed to enable fail-hard checking.{{sfn|Sheffer|Saint-Andre|Fossati|2022|loc=7.5. Certificate Revocation}} ==== Issuer market share ==== In this model of trust relationships, a CA is a trusted third party β trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. According to NetCraft report from 2015,<ref>{{cite web|url=http://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|title=Counting SSL certificates|date=13 May 2015 }}</ref> the industry standard for monitoring active [[Transport Layer Security]] (TLS) certificates, states that "Although the global [TLS] ecosystem is competitive, it is dominated by a handful of major CAs β three certificate authorities ([[NortonLifeLock|Symantec]], [[Sectigo]], [[GoDaddy]]) account for three-quarters of all issued [TLS] certificates on public-facing web servers. The top spot has been held by Symantec (or [[VeriSign]] before it was purchased by Symantec) ever since [our] survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use β significantly more than its overall market share." Following major issues in how certificate issuing was managed, all major players gradually distrusted Symantec-issued certificates, starting in 2017 and completed in 2021.<ref>{{cite web |title=CA:Symantec Issues |url=https://wiki.mozilla.org/CA:Symantec_Issues |website=Mozilla Wiki |access-date=10 January 2020 |ref=symantec-mozilla}}</ref><ref>{{cite web |title=Chrome's Plan to Distrust Symantec Certificates |url=https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html |website=Google security blog |access-date=10 January 2020 |ref=symantec-chrome}}</ref><ref>{{cite web |title=JDK-8215012 : Release Note: Distrust TLS Server Certificates Anchored by Symantec Root CAs |url=https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8215012 |website=Java Bug Database |access-date=10 January 2020 |ref=symantec-java}}</ref><ref>{{cite web |date=2023-09-05 |title=Information about distrusting Symantec certificate authorities |url=https://support.apple.com/en-us/HT208860 |access-date=2024-01-16 |website=Apple Support |language=en}}</ref> ==== Temporary certificates and single sign-on ==== This approach involves a server that acts as an offline certificate authority within a [[single sign-on]] system. A single sign-on server will issue digital certificates into the client system, but never stores them. Users can execute programs, etc. with the temporary certificate. It is common to find this solution variety with [[X.509]]-based certificates.<ref>Single Sign-On Technology for SAP Enterprises: What does SAP have to say? {{cite web |url=http://www.secude.com/html/?id=1890 |title=Single Sign-On Technology for SAP Enterprises: What does SAP have to say? | May 2010 | SECUDE AG |access-date=2010-05-25 |url-status=dead |archive-url=https://web.archive.org/web/20110716031415/http://www.secude.com/html/?id=1890 |archive-date=2011-07-16 }}</ref> Starting Sep 2020, TLS Certificate Validity reduced to 13 Months.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)