Certificate revocation lists (crls), Pki implementation – Allied Telesis AT-S62 User Manual

Chapter 27: Public Key Infrastructure Certificates

Section VII: Management Security

522

Out-of-band verification involves both the owner of a certificate and the
user who wishes to verify that certificate generating a one-way hash (a
fingerprint) of the certificate. These two hashes must then be compared
using at least one non-network-based communication method.
Examples of suitable communication methods are mail, telephone, fax,
or transfer by hand from a storage device such as a smartcard or floppy
disk. If the two hashes are the same, the certificate can be considered
valid.

Certificate

Revocation Lists

(CRLs)

A certificate may become invalid because some of the details in it
change (for example, the address changes), because the relationship
between the Certification Authority (CA) and the subject changes (for
example, an employee leaves a company) or because the associated
private key is compromised. Every CA is required to keep a publicly
accessible list of its certificates which have been revoked.

PKI

Implementation

The following sections discuss Allied Telesyn’s implementation of PKI for
the AT-S62 management software. The following topics are covered:

❑ PKI Standards

❑ Certificate Retrieval and Storage

❑ Certificate Validation

❑ Root CA Certificates

PKI Standards

The following standards are supported by the switch:

❑ draft-ietf-pkix-roadmap-05 — PKIX Roadmap

❑ RFC 1779 — A String Representation of Distinguished Names

❑ RFC 2459 — PKIX Certificate and CRL Profile

❑ RFC 2511 — PKIX Certificate Request Message Format

❑ PKCS #10 v1.7 — Certification Request Syntax Standard

Certificate Retrieval and Storage

Certificates are stored by CAs in publicly accessible repositories for
retrieval by end entities. The following repositories used in PKI are
commonly accessed via the following protocols: Hypertext Transfer
Protocol (HTTP), File Transfer Protocol (FTP).