High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
IT-Secure.comTechnical comment
Core Components of the Entrust/PKI
The Core Components of Entrust/PKI v5
ClassificationTechnical Comment for Public DistributionVersion and Date2.0, September 20
th
, 2001Author Luke O’Connor, IT-Secure.comComments and Questions to
luke.oconnor@it-secure.com
SUMMARY
There are many documents and standards, and more recently books, that describe the gen-eral components of a Public Key Infrastructure (PKI), including Certification and RegistrationAuthorities, a Directory, a CA Database, and a Personal Security Environment for client certifi-cates. The impression such documents give is that we should expect a noticeable degree of uniformity in the architectures and products being offered by the main PKI vendors. Whilethere is agreement on the basic components, the inherent complexity of a commercial PKI so-lution almost guarantees that vendors will produce solutions with essentially unique features.This document gives an overview of the major components of the Entrust/PKI. The contentsrefer to Entrust version 5, but most technical statements also apply to Entrust version 6. Wefocus on the certificate and key life cycle management functions of the Entrust/PKI, since byexamining these processes we are best able to understand the interworkings of the En-trust/PKI components.
2005 IT-Secure.com AG, Rümlangerstrasse 9, Postfach 1105, 8105 Watt, Zurich, Switerzerland.Tel: +41 (0)1 817 3690; Fax: +41 (0)1 817 3693.
Email:info@it-secure.com; Web:http://www.it-secure.com. Page
1
IT-Secure.comTechnical comment
Core Components of the Entrust/PKI
Contents
2005 IT-Secure.com AG, Rümlangerstrasse 9, Postfach 1105, 8105 Watt, Zurich, Switerzerland.Tel: +41 (0)1 817 3690; Fax: +41 (0)1 817 3693.
Email:info@it-secure.com; Web:http://www.it-secure.com. Page
2
IT-Secure.comTechnical comment
Core Components of the Entrust/PKI
2 Introduction
In this document we provide a brief introduction to the core components of the Entrust/PKI, as imple-mented in version 5. Most technical statements concerning these components apply to Entrust ver-sion 6, and will also be accurate for future versions unless the vendor undertakes a major architec-tural shift in its core product offering.The general functions of a certificate/key life cycle management (CKLCM) sub-system are shown inFigure 1, adapted from the description provided in [Ada99]
.These functions are invoked as a certifi-cate/key passes from issuance, to an operational state, and then finally to cancellation. To describethe core components of the Entrust/PKI we have chosen to explain how some of the functions listed inFigure 1 are implemented in the Entrust/PKI. We have used standard Entrust documentation andtraining material as the sources of technical information. Naturally enough there are many other En-trust/PKI components not considered in this document, such as Unity, Entrust’s web browser plug-in.We focus our attention on the core components that would be installed as part of purchasing En-trust/PKI. Further, additional components such as Unity must comply with the basic architecture of theEntrust/PKI, so it is important to understand the functions of these basic components when a morecomplex Entrust-based PKI is to be developed.
Figure 1: CKLCM functions in a PKI.
1
A tag of the form [Ada99] denotes a reference listed in section 6
.
2005 IT-Secure.com AG, Rümlangerstrasse 9, Postfach 1105, 8105 Watt, Zurich, Switerzerland.Tel: +41 (0)1 817 3690; Fax: +41 (0)1 817 3693.
Email:info@it-secure.com; Web:http://www.it-secure.com. Page
3
Add a Comment
lukeoleft a comment