Certificate Revocation Lists
A certificate revocation list (CRL)
allows clients and servers to check whether the entity they are
dealing with has a valid certificate.
|
|
Trust breaks down, and CRLs are required, when:
- a subject's private key is exposed,
- a CA's private key is exposed, and
- the relationship between the subject and CA changes
(e.g. the subject is no longer employed by the CA,
or stops paying money to the CA).
Certificate revocation plays a crucial part in the authentication process:
- Obtain the subject's digital certificate and verify its validity.
- Extract the serial number of the certificate.
- Fetch the current CRL from the CA.
- Verify the CRL's digital signature,
and record its publication time and when the next CRL is to be published.
- Examine the CRL to determine if the intended certificate
been revoked or suspended (based on the certificate serial number).
- Alert the user if the certificate is revoked.
Limitations of Certificate Revocation
In a large public key infrastructure community,
CRLs are both large and must be downloaded frequently.
Applications can be significantly slowed by the
need to retrieve the latest CRL from a heavily taxed directory server
(or other distribution point).
There exists a compromise between always being up-to-date,
versus the risk of false certificate acceptance.
|
CITS3002 Computer Networks, Lecture 12, Cryptography's role in networking, p25, 22nd May 2024.
|
CITS3002