PKI Standards - Exercise

There are standards and frameworks for Public Key Infrastructure (PKI) that establish trust and interoperability. PKI is a system of processes, technologies, and policies that allows for the secure management of digital certificates and public-private key pairs. Several widely recognized standards and organizations contribute to defining PKI standards and trust models. Here's an overview: Key PKI Standards

1. X.509 Standard:
   • Developed by the International Telecommunication Union (ITU) and adopted by the Internet Engineering Task Force (IETF), X.509 is the foundational standard for PKI.
   • It defines the format for public key certificates, certificate revocation lists (CRLs), and certificate authorities (CAs).
   • RFC 5280 (an IETF document) is the most commonly referenced specification for X.509 in the context of the internet.
2. PKCS (Public-Key Cryptography Standards):
   • A set of standards developed by RSA Laboratories, widely used in PKI implementations.
   • Examples include:
     • PKCS #1: RSA cryptography standard.
     • PKCS #7: Cryptographic Message Syntax (CMS), used for signing and encrypting messages.
     • PKCS #10: Certification request standard.
     • PKCS #12: Personal information exchange syntax (e.g., for storing private keys and certificates).
3. CA/Browser Forum:
   • A voluntary group of certificate authorities (CAs), browser vendors, and other stakeholders.
   • Publishes guidelines like the Baseline Requirements for the issuance and management of publicly trusted certificates (e.g., for TLS/SSL).
   • Ensures trust in certificates used on the web by defining strict policies for CAs.
4. ISO/IEC 9594-8:
   • The international standard aligned with X.509, focusing on the directory services and authentication framework for PKI.
5. FIPS 140-2/140-3:
   • U.S. federal standards (from NIST) for cryptographic modules, often required for PKI implementations in government or regulated industries.

Trust Models in PKI PKI relies on a trust model to ensure that certificates can be verified and relied upon. Common trust models include:

1. Hierarchical Trust Model:
   • A root CA issues certificates to subordinate CAs, which then issue certificates to end users or devices.
   • Trust is established through a chain of certificates back to a trusted root CA.
   • Example: Most web browsers trust a set of root CAs included in their trust stores.
2. Web of Trust:
   • Used in systems like PGP (Pretty Good Privacy), where users sign each other’s keys to establish trust without a central authority.
   • Less common in traditional PKI but relevant in decentralized systems.
3. Bridge CA Model:
   • Connects multiple PKI domains by establishing trust between different root CAs via a bridge CA.
   • Often used in large organizations or government systems.
4. Cross-Certification:
   • Two or more CAs certify each other’s root certificates to establish mutual trust.

Organizations Ensuring Trust

• Internet Engineering Task Force (IETF): Publishes RFCs like RFC 5280 and RFC 6960 (OCSP - Online Certificate Status Protocol).
• National Institute of Standards and Technology (NIST): Provides guidelines like SP 800-32 for PKI in federal systems.
• WebTrust for CAs: An audit framework by the AICPA and CPA Canada to certify that CAs meet operational and security standards.

Practical Implementation In practice, PKI trust is enforced by:

1. Root Certificate Stores: Browsers and operating systems maintain lists of trusted root CAs.
   • Browsers maintain lists of trusted root CAs.
   • Operating systems maintain lists of trusted root CAs.
2. Certificate Revocation Lists (CRLs) and OCSP: Mechanisms to check if a certificate has been revoked.
   • CRLs are used to check if a certificate has been revoked.
   • OCSP is used to check if a certificate has been revoked.
3. Extended Validation (EV) Certificates: Higher assurance certificates with stricter vetting processes.
   • EV certificates provide higher assurance.
   • EV certificates involve stricter vetting processes.

These are well-established PKI standards (like X.509) and trust frameworks (like those from the CA/B Forum) that ensure PKI operates reliably and securely across systems. If you’re looking for something more specific—like a particular standard or implementation—let me know, and I can dive deeper!

An On Your Own exercise is a good way to practice the skills you have learned in this module. This is optional hands-on exercise that you can do if you have access to the optional hardware and software for this course. There is no score for completing this exercise.

Go to https://www.verisign.com/. Research VeriSign's pages. Verify the information already provided to you in this module. Study the general quality of the site.
Now, go to letsencrypt.org View the pages. Notice the general quality of the site.
Answer the following questions:

1. Which site you would choose as a CA?
2. Which site instills the most confidence in you?
3. Which of the sites is most clearly directed at an international market? Why?

When you have completed this exercise, click the Submit button .