| ||||
| ||||
| Чисто теоритический вопрос. Что такое кросс-сертификат с точки зрения состава сертификата и значений полей и расширений сертификата. Т.е., что именно делает возможным использование сертификата как кросс-сертификата? Какое то расширение? Значение поля? | ||||
| Ответы: | ||||
| ||||
| ITU-T, X.509 A CA-certificate is a certificate issued by a CA to a subject that is itself a CA and therefore is capable of issuing public-key certificates. CA-certificates can be themselves categorized by the following types: – Self-issued certificate – This is a certificate where the issuer and the subject are the same CA. A CA might use self -issued certificates, for example, during a key rollover operation to provide trust from the old key to the new key. – Self-signed certificate – This is a special case of self-issued certificates where the private key used by the CA to sign the cerificate corresponds to the public key that is certified within the certificate. A CA might use a self-signed certificate, for example, to advertise their public key or other information about their operations. – Cross certificate – This is a certificate where the issuer and the subject are different CAs. CAs issue certificates to other CAs either as a mechanism to authorize the subject CA's existence (e.g. in a strict hierarchy) or to recognize the existence of the subject CA (e.g. in a distributed trust model). The cross-certificate structure is used for both of these. 8.1.2 Cross-certification A certification authority may be the subject of a certificate issued by another certification authority. In this case, the certificate is called a cross-certificate, the certification authority that is the subject of the certificate is called the subject certification authority and the certification authority that issues the cross-certificate is called an intermediate certification authority (see Figure 2). Both the cross-certificate and the end-entity's certificate may contain a certificate policies extension. The warranties and obligations shared by the subject certification authority, the intermediate certification authority and the certificate user are defined by the certificate policy identified in the cross-certificate, in accordance with which the subject certification authority may act as, or on behalf of, an end-entity. And the warranties and obligations shared by the certificate subject, the subject certification authority and the intermediate certification authority are defined by the certificate policy identified in the end-entity's certificate, in accordance with which the intermediate certification authority may act as, or on behalf of, a certificate user. A certification path is said to be valid under the set of policies that are common to all certificates in the path. An intermediate certification authority may, in turn, be the subject of a certificate issued by another certification authority, thereby creating certification paths of length greater than two certificates. And, since trust suffers dilution as certificate paths grow in length, controls are required to ensure that end-entity certificates with an unacceptably low associated trust level will be rejected by the certificate user. This is part of the function of the certification path processing procedure. In addition to the situation described above, there are two special cases to be considered: a) the certification authority does not use the certificate policies extension to convey its policy requirements to certificate users; and b) the certificate user or intermediate certification authority delegates the job of controlling policy to the next authority in the path. In the first case, the certificate should not contain a certificate policies extension at all. As a result, the set of policies under which the path is valid will be null. But, the path may be valid nonetheless. Certificate users shall still ensure that they are using the certificate in conformance with the policies of the authorities in the path. In the second case, the certificate user or intermediate certification authority should include the special value any-policy in the initial-policy-set or cross-certificate. Where a certificate includes the special value any-policy, it should not include any other certificate policy identifiers. The identifier any-policy should not have any associated policy qualifiers. The certificate user can ensure that all its obligations are conveyed in accordance with the standard by setting the initial-explicit-policy indicator. In this way, only authorities that use the standard certificate policies extension as their way of achieving binding are accepted in the path, and certificate users have no additional obligations. Because authorities also attract obligations when they act as, or on behalf of, a certificate user, they can ensure that all their obligations are conveyed in accordance with the standard by setting requireExplicitPolicy in the cross-certificate. | ||||
| ||||
| Спасибо. А чем отличается сертифиткат СА (не самоподписанный, а скажем, подчинённого CA) от сертификата "end entity"? | ||||
ad