Table of Contents
Advertisement
Managing Certificates
intervals and checking the list as part of the authentication process. For some
organizations, it may be preferable to check directly with the issuing CA each time
a certificate is presented for authentication. This procedure is sometimes called
real-time status checking.
Registration Authorities
Interactions between entities identified by certificates (sometimes called end
entities) and CAs are an essential part of certificate management. These
interactions include operations such as registration for certification, certificate
retrieval, certificate renewal, certificate revocation, and key backup and recovery.
In general, a CA must be able to authenticate the identities of end entities before
responding to the requests. In addition, some requests need to be approved by
authorized administrators or managers before being services.
As previously discussed, the means used by different CAs to verify an identity
before issuing a certificate can vary widely, depending on the organization and the
purpose for which the certificate will be used. To provide maximum operational
flexibility, interactions with end entities can be separated from the other functions
of a CA and handled by a separate service called a Registration Authority (RA).
An RA acts as a front end to a CA by receiving end entity requests, authenticating
them, and forwarding them to the CA. After receiving a response from the CA, the
RA notifies the end entity of the results. RAs can be helpful in scaling an PKI across
different departments, geographical areas, or other operational units with varying
policies and authentication requirements.
Appendix J
Introduction to Public-Key Cryptography
793
Advertisement
Table of Contents
