PKI Resource Query Protocol - Related Methods - Certificate Extensions

Certificate Extensions

To provide pointers to published data, a CA could use the Authority Information Access (AIA) and Subject Information Access (SIA) extensions as detailed in RFC-3280. The former can provide information about the issuer of the certificate while the latter carries information (inside CA certificates) about offered services. The Subject Information Access extension can carry a URI to point to certificate repositories and timestamping services. Hence this extension allows to access services by several different protocols (e.g. HTTP, FTP, LDAP or SMTP).

Although encouraged, usage of the AIA and SIA extension is still not widely deployed. There are two main reasons for this. The first is the lack of support for such extensions in available clients. The second reason is that extensions are static, i.e. not modifiable. Indeed to modify or add new extensions, in order to have users and applications to be aware of new services or their dismissal, the certificate must be re-issued.

This would not be feasible for End Entities (EE) certificates, except during periodic reissuing, but it would be feasible for the CA certificate itself. The CA could retain the same public key and name and just add new values to the AIA extension in the new certificate. If users fetch the CA cert regularly, rather than caching it, this would enable them to become aware of the new services. Although this is possible, almost every available clients do not look for CAs certificates if they are already stored in clients' local database.

In any case, since URLs tend to change quite often while certificates persist for longer time frames, experience suggests that these extensions invariably point to URLs that no longer exist. Moreover considering the fact that the entity that issues the certificates and the one who runs the services may not be the same, it is infeasible that the issuing CA will reissue all of its certificate in case a server URL's changes. Therefore it is not wise to depend on the usage of AIA or SIA extensions for available services and repositories lookup.

Read more about this topic:  PKI Resource Query Protocol, Related Methods

Other articles related to "certificate extensions, certificate":

X.509 - Certificates - Extensions Informing A Specific Usage of A Certificate
... RFC 5280 (and its predecessors) defines a number of certificate extensions which indicate how the certificate should be used ... are Basic Constraints, { id-ce 19 }, are used to indicate whether the certificate belongs to a CA ... which may be performed using the public key contained in the certificate for example, it could indicate that the key should be used for signatures but not for encipherment ...

Famous quotes containing the words extensions and/or certificate:

    If we focus exclusively on teaching our children to read, write, spell, and count in their first years of life, we turn our homes into extensions of school and turn bringing up a child into an exercise in curriculum development. We should be parents first and teachers of academic skills second.
    Neil Kurshan (20th century)

    God gave the righteous man a certificate entitling him to food and raiment, but the unrighteous man found a facsimile of the same in God’s coffers, and appropriated it, and obtained food and raiment like the former. It is one of the most extensive systems of counterfeiting that the world has seen.
    Henry David Thoreau (1817–1862)