ALL >> Computer-Programming >> View Article
Certificate Revocation Considerations
The certificate revocation considerations are:
? Certificates can be revoked, but not all applications check revocation lists. In addition, many things can delay the distribution and downloading of new CRLs.
? Remember to design validity periods based on finding the sweet spot between
minimizing exposure and opportunities for compromise and allowing for the
administrative tasks that might be necessary during renewal. Where auto-enrollment reduces the administrative task of renewal, time frames can be shorter, but
keep in mind that auto-enrollment means fewer certificates will expire on their
own if the issuing CA is still available on the network.
? An additional decision must be made at CA renewal time. When a CA is renewed,
a new key pair can be generated or the old pair can be reused. Remember the reason for CA certificate renewal: the minimizing of opportunity for key compromise.
Creating a new key pair is a good way to continue limiting opportunities, but the
decision should be based on the strength of the key and the status of computer
technology ...
... and praticing in free certification (free certification exam questions). A large key size is typically harder to crack and therefore more desirable. Larger keys, however, take a longer time to generate and encrypt information. The root CA certification, however, will be used only to sign new subordinate
CA certificates, so this point is moot.
Off the Record How large should the key for the root CA be? Should it always be regenerated when the certificate is renewed? One estimate concludes that a 4096-bit key might take about 15 years to crack with today's computing equipment. If the root CA is given a 4096-bit key and a five-year validity period, when the administrator renews the certificate after four years, she can reassess the key based on thoughts of cryptography experts at that time. She can then make a decision about whether to renew by using the current key pair or by generating a new key pair.
? Intermediate CAs, those CAs that do not issue end-use certificates, must also renew
their certificates, and you can choose whether or not to renew their keys. On one
hand, they are not the root and have no power to issue end-use certificates. How-
ever, if they are compromised, every issuing CA they have issued a CA certificate for
must be replaced. They are also more exposed than the stand-alone root CA. In
addition, if cross-certification with another CA hierarchy is performed at the intermediary CA level, their being compromised might result in more risk and greater negative implications than with a CA that has not issued a cross-site certificate.
? When a new key pair is generated for a CA, a new CRL distribution point is created. This is done to ensure the CRL is signed by the current CA private key. This
can also be used to advantage in environments -where many certificates are issued
and revoked. CRLs can become large in these cases, and although the old CRL will
continue to be issued until every certificate that -was issued using the old keys has
expired, it will eventually be of no use.
? Certificate renewal is necessary to implement policy change:
Q If, for example, you -want a cross-certificate, a new policy file can be created only for an existing CA when the certificate is renewed.
Q Other changes, such as adding the ability to archive private keys, will result in the certificates previously issued being supercedecl and new certificates being issued.
Q When a policy changes, and thus CA renewal is necessaiy, plan the renewal for off-peak hours when the request for (free practice exam questions) will likely not be as high.
Q Policy changes cannot always be anticipated, but the process required to handle them can be a part of the design of the renewal process. Consider how the change will affect certificate requests and whether current certificates should be used until they expire or whether the new (MCSA Certification) should supercede them.
Add Comment
Computer Programming Articles
1. How To Choose The Right Coding Institute In BhopalAuthor: Shankar Singh
2. Streamline Your Finances With The Best Bookkeeping Software In Zambia
Author: Doris Rose
3. Maximizing Ebay Success With Maropost/neto Partnerships
Author: rachelvander
4. The Rise Of Ai In Modern Gaming
Author: Saira
5. Enhancing Business Efficiency With Entrust Network: Singapore’s Premier It Solutions Partner
Author: Entrust Network Services
6. Ai And Ml Training: Empowering Your Career With Infograins Tcs
Author: Infograins tcs
7. How To Evaluate Coding Institutes In Bhopal?
Author: Shankar Singh
8. Revolutionizing Delivery Services With Application Development
Author: basheer ansari shaik
9. How Google Cloud Platform Aids Businesses And Keeps Its Data Safe?
Author: Stuart
10. Custom Web Development Solutions In Surat For Growing Businesses
Author: sassy infotech
11. Video Streaming App Development: 12 Key Features, Architecture And Cost
Author: Byteahead
12. Understanding Google Analytics Events
Author: Byteahead
13. Types Of Learning Management Systems
Author: Byteahead
14. How To Choose The Best Coding Institute In Bhopal?
Author: Shankar Singh
15. Top Tech Trends Real Estate Companies Should Focus
Author: Byteahead