Reads on Security (x509 certificates)

RFC5280

Entities:
 Users
 Certificate authority
 Registration authority
 Repositories

Repositories meant as collections of Certificates and Certificate
Revocation Lists.

Certificate VS Public Key
The certificate binds the pub key to a subject, for a specific
time interval, and gets signed by the certificate authority.
Multiple certificates constitute the "identification path"
finalized to the validation of a public key.

Certificate Authority Certificates:

Cross-certificates:
  define the trust relation between two
  certificate authorities.

Self-issued cert:
  Issuer and signer is the same entity

Self-signed cert:
  Issuer and signer is the same entity (Self-issued)
  + The contained pubkey can verify the signature.
  ROOT CERTS are Self-signed.

Certificate Revocation List:
 On a public repo, signed by CA, contains serial numbers of the
 keys revoked by the CA.
 A recent CRL needs to be verified upon certificate validation.
 The design is somewhat flawed: in the time window between CRL
 updates, a revoked certificate is considered valid.
 Alternatives: Online Certificate Status Protocol (OCSR)

Online Certificate Status Protocol (not part of RFC):
 Not implemented everywhere (e.g. certain browsers do not)
 Possible privacy issues (online check on need implies
 disclosure).
 Check wikipedia page for details.

X509 format:
  In ASN-1 (a general purpose Type Length Value format)
    [
      {
        certificate,    -> {
        sig_algorithm,       version,
        sig_value            serial_no,
      },                     signature,
      ...                    validity,
    ]                        subject_name,
                             subject_pubkey
                           }