Non User
  Index: > A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Business
Non User
 Industries Finance Tax

Home > Certificate revocation list


In the operation of some cryptosystems, usually PKIs, a certificate revocation list (CRL) is a list of certificates which have been revoked, are no longer valid, and should not be relied upon by any system user. A certificate is revoked (and be entered on a CRL) if, for instance, it is discovered that the certificate authority (CA) had improperly issued a certificate: to the wrong person, with the wrong public key, to an ineligible person or entity, and so on. Alternatively, the private key corresponding to the public key contained in the certificate may have been compromised. Certificate expiration dates are not a substitute for a CRL as the problem may be discovered whilst the certificate has not yet expired.

A CRL is a prudent part of any practical PKI as mistakes in certificate generation can be confidently expected to occur in real world operations. In a particularly noteworthy example, a certificate for Microsoft was mistakenly issued to an unknown individual (who had successfully posed as Microsoft itself) by the CA contracted to maintain the ActiveX 'publisher certificate' system ( VeriSign). Microsoft finally saw the need to patch their cryptography subsystems so they would actually check certificates being used against a CRL. As a short term fix, a patch was issued for the relevant Microsoft software (most importantly Windows) specifically listing the two certificates in question as 'invalid'.

The certificates for which a CRL should be maintained are often X.509/ public key certificates, as this format is commonly used by PKI schemes.

1 Problems with all CRLs

Wherever, and however, a CRL is maintained, it must be available to a PKI participant whenever they might need access. Failing this, a revoked certificate may be accepted as valid because access to the CRL is temporarily not possible. This requirement of effectively on-line validation negates one of the original major advantages of PKI over symmetric cryptograhy protocols, namely that the certificate is "self authenticating". Symmetric system, e.g. Kerberos, typically depend on the existence of an on-line Key distribution center.

In addition, the existence of a CRL implies someone (or some organization) which decides that this certificate or that should be entered (or not) in the CRL. If this vetting is mistaken, problems will arise. As this is often done by the CA or some subsidiary, conflicts of interest will naturally often arise.

Still further, the necessity of consulting a CRL prior to accepting a certificate as reliable raises a potential denial-of-service attack against the entire PKI scheme and all its users. Moreover, an attacker could violate the integrity of the CRL, just as other components of the PKI are subject to attack. Even if the PKI is well protected, some attacks may succeed, resulting (at best) in a massive denial of service.

No comprehensive solution to these problems is known, though there are multiple workaroundA workaround is a bypass of a recognized problem in a system. A workaround is typically a temporary fix that implies that a genuine solution to the problem is needed. Frequently workarounds are as creative as true solutions, involving out-of-the-box thinks for various aspects of it, some of which have proven acceptable in practice.

An increasingly popular alternative to using CRLs is on-line certificate validation. One of the options is the Online Certificate Status Protocol (OCSP) defined in RFC 2560. See also http://www.openvalidation.org/.

2 See also

trusted third partyIn cryptography, a trusted third party (TTP is an entity (eg, a person, a company, a government agency,. who carries out a necessary part of some cryptographic protocols. The term is one which is often used in academic papers analyzing such protocols, and, web of trustIn cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user. It is, in some respects, an alternative to centralized PKI reliance exclusi CryptographyCryptography (from Greek kryptos "hidden", and graphein "to write") is, traditionally, the study of means of converting information from its normal, comprehensible form into an incomprehensible format, rendering it unreadable without secret knowledge — th

Politics Business Finance
Certificate Revocation List Crl Pki Certificates

Topics: Certificate Revocation List Crl Pki Certificates Key Microsoft...

CertificateA certificate is an official document affirming some fact. For example, a birth certificate testifies to basic facts regarding a person's birth. A certificate may also certify that a person has received specific education or has passed a test. In computinCertificate revocation listIn the operation of some cryptosystems, usually PKIs, a certificate revocation list (CRL is a list of certificates which have been revoked, are no longer valid, and should not be relied upon by any system user. A certificate is revoked (and be entered onCertificate authorityIn cryptography, a certificate authority CA is an entity which issues digital identity certificates for use by other parties. It is an example of a trusted third party. CA's are characteristic of many PKI schemes. A CA is usually a company that, for a fee
Certificate-based encryptionCertificate-based encryption is a system in which a certificate authority uses ID-based cryptography to produce a certificate. This system gives the users both implicit and explicit certification, the certificate can be used as a conventional certificateCertificateless cryptographyCertificateless cryptography is a variant of ID-based cryptography intended to prevent any need for key escrow. It does this by splitting the private key generations stage between a user and a third party. One disadvantade of this is that the identity infCertificate (HETAC)The HETAC One-Year Certificate is a subdegree qualification offered by the Higher Education and Training Awards Council as a one year full time course in a specific discipline, below the standard of the National Certificate or National Diploma. The certif
Certificate of depositCertificate of Merit MedalCertificate of Loss of Nationality
Certificate signing request  


Non User