A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Appendix A: X.509 Certificates and Insight Remote Support Advanced
Some of these CRL checks can cause unexpected network traffic. Some CRL-checking mechanisms
first try a local copy of the CRL. If a local CRL is unavailable or out-of-date it will then try the URIs found in
the CRL Distribution Point attribute. OSCP activity can also trigger some network activity. When the RSC
checks the revocation status of the services.isee.hp.com certificate, it may try the following URIs:
l http://crl.verisign.com/pca3.crl - URI for the VeriSign Class 3 Public Primary CA CRL
l http://SVRSecure-crl.verisign.com/SVRSecure2005.crl - URI for the VeriSign Class 3 Secure Server
CA CRL
l http://ocsp.verisign.com - Location of VeriSign’s OCSP server
All of this means that a network manager could see attempts to contact these three systems on TCP port
80 if no HTTP proxy server is used.
If the CRL is not present or accessible, the RSC will assume the certificate is valid.
Self-Signed Certificates
A self-signed certificate is a certificate that has been signed with its own private key. A CA root certificate
is a self-signed certificate. Unlike CA-issued certificate verification, successful verification using a self-
signed certificate requires a copy of the certificate. Several observations of self-signed certificates are:
l The use of self-signed certificates does not scale well. If a group of systems wish to authenticate each
other using self-signed certificates, each system must have a copy of all of the other systems’
certificates.
l Self-signed certificates are administrated just like SSH public keys except that they have an expiration
date.
l CRLs do not exist and thus if a self-signed certificate is compromised, each copy must be found and
removed. Note that the same would be true for a CA root certificate.
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 55 of 97