Certificate Revocation
- certificate can be revoked or suspended
- revoked
- no longer valid and cannot be un-revoked or reinstated
- suspended
- can be re-enabled
- revoked
- can be done for many reasons
- e.g., private key compromise, business closure, user leaving a company, domain name change, cert misuse, etc.
- reasons are codified
- Unspecified, Key Compromise, CA Compromise, Superseded, or Cessation of Operation
Certificate revocation list (CRL) is a list of certificates that were revoked before their expiration date.
- used to inform users whether a cert is valid, revoked, or suspended
- CA maintains its CRL
- must be accessible by anyone relying on the validity of the CA’s certificates
- each cert should have info on how to check the CRL
- attributes:
- Publish period
- date and time on which the CRL is published
- usually published automatically
- Distribution point(s)
- location(s) to which the CRL is published
- Validity period
- period during which the CRL is considered authoritative
- usually a bit longer than the publish period
- e.g., if the publish period was every 24 hours, the validity period might be 25 hours
- Signature
- signed by the CA to verify its authenticity
- Publish period
- problems
- risk that the certificate might be revoked but still accepted by clients
- because an up-to-date CRL has not been published
- application may not be configured to perform CRL checking
- typically only with legacy browsers
- risk that the certificate might be revoked but still accepted by clients
Online certificate status protocol (OCSP) allows clients to request the status of a digital certificate, to check whether it is revoked.
- communicates requested certificate’s status
- rather than entire CRL
- details of the OCSP responder service should be published in the certificate
- most OCSP servers can query certificate database directly and obtain real-time status
- other OCSP servers depend on the CRLs
- limited to the CRL publishing interval