Describe the high level architecture of Netscape's Certificate Management System.
|
|
What Are End Entities?
End-entities are the clients of Netscape's Certificate Management System
and are the users or requesters of certificates issued by CMS4.
Among these are:
- Clients, such as Netscape Navigator version 3.x; Netscape Communicator
version 4.x and later; Microsoft Internet Explorer versions 3.x, 4.x and
5.x
- SSL-enabled servers, such as Netscape Administration, Directory, and Enterprise
Servers
- Routers, such as Cisco routers
- VPN (Virtual Private Network) clients, such as Aventail, KyberPass, and RedCreek
End-Entity Interactions with CMS4
A registration service framework exists that includes the most commonly
expected PKI features:
manual, directory-based, and directory- plus PIN-based enrollment;
certificate-authenticated renewals and revocations; certificate life cycle
operations that include automated certificate renewal and expiration notifications.
End-entities access CMS4 through a gateway in a web browser.
This gateway provides the general front end for end-entity interactions with
the server. Through this gateway, the Certificate Manager or Registration
manager serves the appropriate HTML forms for end-entity operations
(the Data Recovery Manager does not have an end-entity interface).
These include forms for certificate enrollment, retrieval, query, renewal, import,
and revocation.
These forms are collectively referred to as the end-entity services interface.
End-entity interactions can take place over HTTP or HTTPS.
For example, routers using CEP, which includes its own encryption scheme, uses
HTTP rather than HTTPS.
Each type of end-entity form provided by a Registration Manager or Certificate
Manager determines the type of client, such as Communicator or Internet
Explorer, and presents the appropriate input page.
Each form also specifies both an authentication module and an output template.
The authentication module (which is a set of rules for authenticating an end-entity,
agent, administrator, or any other entity that needs to interact with a
CMS manager) is used by the servlet to authenticate the end-entity
the output template is an HTML page that returns information from the servlet
to the end-entity.
Figure 3.2
Life Cycle Management of End-Entities
The Registration Manager and Certificate Manager provide default HTML
forms that use different protocols and life cycle management procedures
for different kinds of end entities.
For example, end entities running
Navigator 3.x and versions of Communicator earlier than 4.5 need to be
presented with an enrollment form based on the use of the HTML tag KEYGEN
to generate keys. End-entities running Microsoft Internet Explorer
require a form containing VBScript XENROLL commands. These various tags,
scripts and protocols result in enrollment messages that are sent back
to the Certificate Manager or Registration Manager in a variety of nonstandard
and standards based formats.
|