Certificate Revocation Lists

Certificates do not last for ever, they include an expiry date after which time they are no longer valid. However a considerable problem is what to do if a certificate is compromised before it has expired. If someone breaks your encryption or steals your private key then your security is compromised, you have to generate a new key pair and by implication a new certificate. But you must also flag your old certificate as being untrustworthy.

This is done through the auspices of Certificate Revocation Lists controlled by the Certificate Authority that issued the certificate. If a certificate is withdrawn it will be listed in the CRL, this should then be picked up by clients and servers checking the authenticity of that certificate. If they discover that it is in the CRL they must not accept it.

The practical problem with CRLs is that no-one supports them, currently systems which use certificates will typically accept them until they have expired, they never check the CRL lists. Support is slated to appear in the next generation of browsers and servers from the major vendors such as Netscape and Microsoft. In addition new generation security products such as Netscape’s Certificate Server support CRLs.

(The following taken from RFC1507)

Revocation is the process of announcing that a key has (or may have) fallen into the wrong hands and should no longer be accepted as proof of some particular identity. With certificates as described above, someone who learns your secret and your certificate can impersonate you indefinitely - even after you have learned of the compromise. It lacks the ability corresponding to changing your password. A third method for revocation... is for certification authorities to periodically issue "revocation lists" which list certificates which should no longer be accepted.

[ Contents ] [ DNS ] [ p6spy ] [ Weblogic Tuning ] [ Cactus ] [ The Grinder ] [ Word to PDF ]