Certificate Revocation

Certificate Revocation

Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration, including the following:

  • Compromise, or suspected compromise, of the certificate subject s private key.

  • Compromise, or suspected compromise, of a CA s private key.

  • Discovery that a certificate was obtained fraudulently.

  • Change in the status of the certificate subject as a trusted entity.

  • Change in the name of the certificate subject.

A PKI depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials. This creates a need to distribute certificate revocation information to individuals, computers, and applications attempting to verify the validity of certificates. The need for revocation information and its timeliness will vary, according to the application and its implementation of certificate revocation checking.

To effectively support certificate revocation, the validating entity must determine whether the certificate is valid or has been revoked. Windows supports industry-standard methods of certificate revocation, including publication of CRLs and delta CRLs in several locations for clients to access in Active Directory and on Web servers and network file shares.

CRLs are digitally-signed lists of unexpired certificates that have been revoked. Clients retrieve this list and can then cache it (based on the configured lifetime of the CRL) and use it to verify certificates presented for use. Because CRLs can get large, depending on the size of the CA, delta CRLs can also be published. Delta CRLs contain only the certificates revoked since the last base CRL was published, which allows clients to retrieve the smaller delta CRL and quickly build a complete list of revoked certificates. The use of delta CRLs also allows more frequent publishing because the size of the delta CRL usually does not require as much overhead as a full CRL.

NOTE
Windows Server 2003 CAs support delta CRLs. Delta CRLs are not supported by Windows 2000 Server CAs.

Certificate Revocation and IAS

By default, the Internet Authentication Service (IAS) server acting as a RADIUS server checks for certificate revocation for all the certificates in the certificate chain sent by the wireless client during the EAP-TLS authentication process. If certificate revocation fails for any of the certificates in the chain, the connection attempt is rejected. The certificate revocation check for a certificate can fail because of the following:

  • The certificate has been revoked

    The issuer of the certificate has explicitly revoked the certificate.

  • The CRL for the certificate is not reachable or available

    CAs maintain CRLs and publish them to specific CRL distribution points. The CRL distribution points are included in the CRL Distribution Points field of the certificate, which is shown in the following graphic.

    graphic

    If the CRL distribution points cannot be contacted to check for certificate revocation, the certificate revocation check fails.

    Additionally, if there are no CRL distribution points in the certificate, the IAS server cannot verify that the certificate has not been revoked, and the certificate revocation check fails.

  • The publisher of the CRL did not issue the certificate

    Included in the CRL is the publishing CA. If the publishing CA of the CRL does not match the issuing CA for the certificate for which certificate revocation is being checked, the certificate revocation check fails.

  • The CRL is not current

    Each published CRL has a range of valid dates. If the CRL Next Update date has passed, the CRL is considered invalid, and the certificate revocation check fails. New CRLs should be published before the expiration date of the last published CRL.

Certificate revocation checking behavior for IAS can be modified with registry settings. For more information, see Chapter 16, Troubleshooting the Authentication Infrastructure.

Because certificate revocation checking can prevent wireless access due to the unavailability or expiration of CRLs for each certificate in the certificate chain, you should design your PKI for high availability of CRLs. For instance, configure multiple CRL distribution points for each CA in the certificate hierarchy and configure publication schedules that ensure that the most current CRL is always available.

Certificate revocation checking is only as accurate as the last published CRL. For example, if a certificate is revoked, by default the new CRL containing the newly revoked certificate is not automatically published. CRLs are typically published based on a configurable schedule. This means that the revoked certificate can still be used for authentication because the published CRL is not current; it does not contain the revoked certificate and can therefore still be used to create wireless connections. To prevent this from occurring, the network administrator must manually publish the new CRL with the newly revoked certificate.

By default, the IAS server uses the CRL distribution points in the certificates. However, it is also possible to store a local copy of the CRL on the IAS server. In this case, the local CRL is used during certificate revocation checking. If a new CRL is manually published to the Active Directory, the local CRL on the IAS server is not updated. The local CRL is updated when it expires, which can create a situation wherein a certificate is revoked and the CRL is manually published, but the IAS server still allows the connection because the local CRL has not yet been updated.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net