Certificate Revocation Lists: A Basic Overview
Certificates are used daily in the world of information security for transactions that vary from checking e-mail to validating electronic payments to transmitting healthcare records. When properly used, they are an effective way to verify credentials. And just as the process of issuing certificates must be tracked using an auditable method, the same is true for certificates that need to be revoked. For this, Certificate Revocation Lists (CRLs) are used.
Certificates form the basis of a secure Public Key Infrastructure. They identify devices, organizations, people, or businesses by requiring proof of identity for both parties in a transaction before transmitting data. A digital certificate uses asymmetric key pairs for encrypting, decrypting, signing, and validating exchanged information. This encryption protects the information in transit and verifies both requester and recipient identity.
Any transaction of sensitive data should be secure. A valid certificate means that the party is upholding its requirements to ensure data protection. When a certificate has been revoked, it can no longer be trusted for a safe transaction. Reasons for certificate revocation vary, but include the following:
- The certificate was superseded by a new certificate.
- The certificate was not properly issued.
- The entity associated with the certificate has changed names.
- The private key is suspected to be compromised.
- The certificate holder has not adhered to institution requirements for key use.
- The certificate holder has left the institution’s employment.
A Certificate Revocation List is published by the authority that issued the corresponding certificate, identifying each certificate by its serial number. Applications that use certificates will check for revocation information when validating authenticity during transactions. Ideally, organizations should make sure its cryptographic processing technology loads CRLs from all certificate authorities with which it interacts, either from the certificate authority itself or from a designated CRL distribution point.
The main advantage of using CRLs is that they can be cached locally when downloaded over a trusted network. Caching certificates increases privacy because the information can be encrypted and caching does not transmit specific access times. However, caching has a downside: certificates must be added to the lists manually and caches do not automatically update themselves, so unwary users could be left communicating with revoked certificates for any length of time. These disadvantages can be mitigated by creating appropriate policies and procedures, or by using Online Certificate Status Protocol (OCSP), which I will be outlining in a future post.