Friday, October 30, 2009
Summary
Summary
In this chapter, you looked at the fundamentals
of dealing with the validation and verification of X.509 certificates
using the PKIX profile outlined in RFC 3280. You have seen two
alternative mechanisms for checking whether the issuers have revoked
their certificates, and you have also seen the JCA classes for
supporting certificate path validation and certificate path building.
Over the course of this chapter, you have learned the following:
What certificate revocation lists (CRLs) are and how they are represented in the JCA
How to create, read, and process X.509 CRLs, as well as what underlying structures make them up
How to use a CertStore to contain CRLs and use an X509CRLSelector to retrieve them
What Online Certificate Status Protocol (OCSP) is and how it differs from regular CRLs
How to implement OCSP clients and responders using the Bouncy Castle APIs
What certificate path validation is and how it is done using the CertPathValidator class
How to customize an existing PKIX path validation implementation using the PKIXCertPathValidator class
Finally, you also learned how to take a random collection of certificates and CRLs in a CertStore and create a certificate path that is valid for an end entity certificate that you need to use.
At this stage, you are able to build private keys
and certificate chains for validating them. You have also seen in
earlier chapters how to generate symmetric keys as well as how to
encrypt private keys using them. As you might imagine, in some
situations these all represent objects you might want to store somewhere safely for later retrieval or, possibly, import into another application. In the next chapter, you look at how this problem is solved using the KeyStore class, as well as learn which types of KeyStore implementations are suited to being used with particular applications and how they can be exported or imported as appropriate.
No comments:
Post a Comment