Planning for PKI

Best Practices Guide for Deploying Public Key Infrastructure

Russ Housley, Tim Polk

Publisher: Wiley, 2001, 326 pages

ISBN: 0--471-39702-4

Keywords: IT Security

Last modified: May 6, 2021, 9:05 p.m.

An in-depth technical guide to the security technology driving Internet e-commerce.

Planning for PKI examines this cornerstone Internet security technology. Written by two of the architects of the Internet PKI standards, this book provides authoritative technical guidance for network engineers, architects, and managers who need to implement the right PKI architecture for their organization. Readers will learn that building a successful PKI is an on going process, not a one-time event. The authors discuss results and lessons learned from three early PKI deployments, helping readers avoid the pitfalls and emulate the successes of early PKI adopters.

Using plain and direct language, the authors share their extensive knowledge of PKI standards development in the Internet Engineering Task Force (IETF) and elsewhere. Subtle points about the Internet PKI standards are liberally sprinkled throughout the book. These nuggets provide insight into the intent of some of the esoteric topics in the standards, enabling greater interoperability.

Planning for PKI gathers the PKI state-of-the-art into one volume, covering everything from PKI history to emerging PKI-related technologies.

  1. Introduction
    • How This Book Is Organized
      • Part One: PKI Background
      • Part Two: PKI Details
      • Part Three: Policy Issues
      • Part Four: The Standard Applications
      • Part Five: PKI Case Studies
      • Part Six: Adding Value to PKI in the Future
      • Appendices
    • Who Should Read This Book
  2. Cryptography Primer
    • Symmetric Cryptography
    • Symmetric Integrity Functions
    • Asymmetric Key Management
    • Digital Signatures
  3. PKI Basics
    • Simple Certificates
      • The Business Card
      • The Credit Card
      • The Ideal Certificate
    • Public Key Certificates
    • Certificate Revocation List
    • Certificate Policies
    • Certification Paths
    • Summary
  4. Authentication Mechanisms
    • Passwords
    • One-Time Authentication Values
      • Challenge/Response Authentication
      • Time-Based Implicit Challenge
      • Using One-Way Hash Functions
    • Kerberos
      • Obtaining a Ticket-Granting Ticket
      • Authenticating to a Server
      • Kerberos Public Key Initialization
    • Certificate-Based Authentication
  5. PKI Components and Users
    • Infrastructure Components
      • Certification Authority
        • Issuing Certificates
        • Maintaining Status Information and Issuing CRLs
        • Publishing Certificates and CRLs
        • Maintaining Archives
        • Delegating Responsibility
      • Registration Authority
      • Repository
      • Archive
    • Infrastructure Users
      • Certificate Holders
      • Relying Party
    • Build It or Buy It?
  6. PKI Architectures
    • Simple PKI Architectures
      • Single CA
      • Basic Trust Lists
    • Enterprise PKI Architectures
      • Hierarchical PKI
      • Mesh PKI
    • Hybrid PKI Architectures
      • Extended Trust List Architecture
      • Cross-Certified Enterprise PKIs
      • Bridge CA Architecture
    • Choosing the Best Architecture
  7. X.509 Public Key Certificates
    • X.509 Certificate Evolution
    • ASN.1 Building Blocks
      • Object identifiers
      • Algorithm Identifiers
      • Directory String
      • Distinguished Names
      • General Names
      • Time
    • X.509 Certificates
        • The Tamper-Evident Envelope
      • Basic Certificate Content
      • Certificate Extensions
        • Subject Type Extensions
          • Basic Constraints
        • Name Extensions
          • Issuer Alternative Name
          • Subject Alternative Name
          • Name Constraints
        • Key Attributes
          • Key Usage
          • Extended Key Usage
          • Private Key Validity
          • Subject Key Identifier
          • Authority Key Identifier
        • Policy Information
          • Certificate Policies
          • Policy Mapping
          • Policy Constraints
          • Inhibit Any-Policy
        • Additional Information
          • CRL Distribution Points
          • Fresher CRL
          • Authority Information Access
          • Subject Information Access
          • Subject Directory Attributes
    • Generating and Using Certificates
      • End Entity Certificates
        • User Certificates
        • System Certificates
      • CA Certificates
        • CA Certificates within an Enterprise PKI
        • CA Certificates between Enterprise PKIs
        • CA Certificates in a Bridge CA Environment
      • Self-Issued Certificates
        • Trust Point Establishment
        • Rollover Certificates
          • Old Signed With New
          • New Signed With Old
        • Policy Rollover Certificates
          • Old Signed With New
          • New Signed With Old
  8. Certificate Revocation Lists
    • Basic CRL Contents
      • The Signed Certificate List
      • CRL Extensions
        • Authority Key Identifier
        • Issuer Alternative Name
        • CRL Number
        • Delta CRL Indicator
        • Issuing Distribution Point
        • Freshest CRL
      • CRL Entry Extensions
        • Reason Code
        • Hold Instruction Code
        • Invalidity Date
        • Certificate Issuer
    • Generating and Using CRLs
      • CRL Coverage
      • Full CRLs
      • CRL Distribution Points
        • CRL Location
        • CRL Size
      • Delta CRLs
      • Indirect CRLs
  9. Repository Protocols
    • Repository Attributes
    • Common Repository Protocols
      • Directories
        • The X.500 Directory
        • Lightweight Directory Access Protocol (v2)
        • X.500 Directory with LDAP
        • LDAP v3 with Extensions
      • FTP
      • HTTP
      • Electronic Mail
      • Domain Name System Support
    • Border Repositiories
    • Practical PKI Repositories
  10. Building and Validating Certification Paths
    • Certification Path Construction
      • Simple PKI Architectures
      • Hierarchical PKI Architectures
      • Mesh PKI Architectures
      • Extended Trust List Architectures
      • Cross-Certified PKI Architectures
      • Bridge CA Architectures
    • Certification Path Validation
      • Initialization
      • Basic Certificate Checking
      • Preparation for the Next Certificate
      • Wrap-up
    • CRL Validation
      • CRL Processing
      • Wrap-up
    • Merging Path Construction and Validation
    • Summary
  11. PKI Management Protocols
    • PKI Management Transactions
    • Participants
    • Transaction Models
    • Management Protocol Comparison Criteria
    • Common PKI Management Protocols
      • PKCS #10
        • PKCS #10 with SSL
          • PKCS #10 and SSL Summary
        • PKCS #7 and PKCS #10
          • PKCS #7 and #10 Summary
        • Certificate Management Protocol (CMP)
          • CMP Summary
      • Certificate Management using CMS (CMC)
        • CMS Summary
      • Simple Certificate Enrollment Protocol (SCEP)
        • SCEP Summary
    • Selecting PKI Management Protocols
  12. Policies, Procedures, and PKI
    • Introduction to Policy and Procedures
    • Policy and PKI
      • Certificate Policies and Certification Practice Statements
      • The CP, CPS, and Policy Extensions
      • CP and CPS Format and Contents
        • Highlights of the RFC 2527 Format
          • Introduction
          • General Provisions
          • Identification and Authentication
          • Operational Requirements
          • Physical, Procedural, and Personnel Security Controls
          • Technical Security Controls
          • Certificate and CRL Profiles
          • Specification Administration
      • Compliance Audits and Accreditation
    • Advice for Policy Authors
  13. PKI-Enabled Applications
    • S/MIMEv3
      • Message Signature and Encryption
      • Enhanced Security Services
      • PKI Support
    • Transport Layer Security (TLS)
      • Handshake Protocol
      • Record Protocol
      • PKI Support
    • IPsec
      • Security Associations
      • Authentication Header (AH)
      • Encapsulating Security Payload
      • Internet Key Exchange (IKE)
      • PKI Support
    • Summary
  14. Defense Message System 1.0
    • DMS 1.0 Architecture
      • Cryptographic Environment
      • PKI Architecture
      • Certificate and CRL Profiles
      • Repositories
      • Certificate Management
      • Management Protocols
      • Failure Recovery
      • Applications
    • Successes and Shortcomings
    • Lessons Learned
  15. California Independent Service Operator
    • CAISO Architecture
      • Cryptographic Environment
      • PKI Architecture
      • Certificate and CRL Profiles
      • Repositories
      • Certificate Management
      • Management Protocols
      • Failure Recovery
      • Applications
    • Successes and Shortcomings
    • Lessons Learned
  16. The Federal Bridge CA Project
    • Federal PKI Architecture
      • Cryptographic Environment
      • PKI Architecture
      • Certificate Policies
      • Certificate and CRL Profiles
      • Repositories
      • Certificate Management
      • Management Protocols
      • Applications
    • Successes and Shortcomings
    • Lessons Learned
  17. Future Developments
    • Cryptography
    • PKI Architectures
    • Certificates
      • Attribute Certificates
      • Qualified Certificates
      • Alternative Certificate Formats
    • Certificate Status
      • On-Line Certificate Status Protocol
      • Sliding Window Delta CRLs
    • Repositories
    • Certification Path Construction and Validation
      • Certification Path Validation Testing
      • Delegated Certification Path Construction Services
      • Certification Path Validation Services
    • Management Protocols
      • Interoperability of Heterogeneous Products
      • In-Person Authentication
      • Private Key Recovery
      • Centrally Generated Keys
    • Legal and Policy
      • E-Sign
      • Health Insurance Portability and Accountability Act (HIPAA)
      • Government Paperwork Elimination Act (GPEA)
      • European Directive 1999/93/EC
    • Applications
      • Signed Document Formats
        • ETSI Signature Format
        • XML Signatures
      • Wireless Application Protocol (WAP)
      • PKI-Enabled Trusted Third-Part Services
    • Conclusion
  1. ASN.1 Primer
    • Syntax Definition
      • Simple Types
      • Structured Types
      • Implicit and Explicit Tagging
      • Other Types
    • Basic Encoding Rules
    • Distinguished Encoding Rules
  2. Object Identifiers
    • Obtaining Private OIDs
      • American National Standards Institute
      • Other National Standards Bodies
      • Internet Assigned Numbers Authority
      • Computer Security Objects Registry
    • Researching OIDs

Reviews

Planning for PKI

Reviewed by Roland Buresund

Very Good ******** (8 out of 10)

Last modified: May 6, 2021, 9:07 p.m.

Surprisingly, a very good overview of the practical and theoretical parts of PKI infrastructure.

Well worth reading.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required