Understanding Certificate Revocation
Understanding Certificate Revocation: Certificate revocation is the process of revoking a certificate before it expires.
A certificate may need to be revoked because it was stolen, an employee has moved to a new company, or someone has had their access revoked.
A certificate revocation is handled either through a certificate revocation list (CRL) or by using the Online Certificate Status Protocol (OCSP).
A repository is simple a database or database server where the certificates are stored.
The process of revoking certificate beings when the CA is notified that a particular certificate needs to be revoked.
This must be done whenever the private key becomes known.
The owner of a certificate can request that it be revoked at any time, or the administrator can make the request.
The CA marks the certificate as revoked. This information is published in the CRL and becomes available using the OCPS.
The revocation process is usually very quick; the time required is based on the publication interval for the CRL.
Disseminating the revocation information to users may take longer. Once the certificate has been revoked, it can never be used—or trusted—again.
The CA publishes the CRL on a regular basis, usually either hourly or daily. The CA sends or publishes this list to organizations that have chosen to receive it; the publishing process occurs automatically in the case of PKI.
The time between when the CRL is issued and when it reaches users may be too long for some applications.
This time gap is referred to a latency. OCSP solves the latency problem: if the recipient or relaying party uses OCSP for verification, the answer is available immediately.
Currently, this process is under evaluation and may be replaced at some time in the future.
When a key is compromised, a revocation request should be made to the CA immediately. It may take a day or longer for the CRL to be disseminated to everyone using that CA.