Table of Contents
Advertisement
Chapter 1. Overview of Certificate System Subsystems
NOTE
The DRM only archives encryption keys, not signing keys, because that compromises
the non-repudiation properties of signing keys. Non-repudiation means that a user cannot
deny having performed some action, such as sending an encrypted email, because they
are the only possessor of that key.
1.1.4. Online Certificate Status Manager
The Online Certificate Status Manager is an OCSP service, external to the Certificate Manager.
Although the Certificate Manager is configured initially with an internal OCSP service, an external
OCSP responder allows the OCSP subsystem to be outside the firewall and accessible externally,
while keeping the Certificate Manager behind the firewall. Like the RA, the OCSP acts as a load-
balancer for requests to the Certificate Manager.
The Online Certificate Status Manager verifies the status of a certificate by checking a certificate
revocation list, published by the Certificate Manager, to see if the specified certificate has been
revoked. More than one Certificate Manager can publish CRLs to a single OCSP.
1.2. Subsystems for Managing Tokens
Two subsystems are required to manage tokens:
• Token Processing System (TPS), which accepts operations from a token and forwards them to the
CA (for processing certificate requests, renewal, issuing, and revocation) and to the DRM (to archive
or restore keys)
• Token Key Service (TKS), which generates master keys and symmetric keys for the TPS to use
when communicating with other subsystems
A third application, the Enterprise Security Client, is the interface between the user and the TPS.
4
Advertisement
Table of Contents
