In public key cryptography, a certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker could exploit such a compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing certificate authority, which produces a cryptographically authenticated statement of revocation.
For distributing revocation information to clients, the timeliness of the discovery of revocation (and hence the window for an attacker to exploit a compromised certificate) trades off against resource usage in querying revocation statuses and privacy concerns. If revocation information is unavailable (either due to an accident or an attack), clients must decide whether to fail-hard and treat a certificate as if it is revoked (and so degrade availability) or to fail-soft and treat it as unrevoked (and allow attackers to sidestep revocation).
Due to the cost of revocation checks and the availability impact from potentially-unreliable remote services, Web browsers limit the revocation checks they will perform, and will fail soft where they do. Certificate revocation lists are too bandwidth-costly for routine use, and the Online Certificate Status Protocol presents connection latency and privacy issues. Other schemes have been proposed but have not yet been successfully deployed to enable fail-hard checking.
and 25 Related for: Certificate revocation information
cryptography, a certificaterevocation list (CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before...
certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing certificate authority...
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described...
compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing...
whether certificates are still valid. They provide this information through Online Certificate Status Protocol (OCSP) and/or CertificateRevocation Lists...
authentication of certificate applicants, the approval or rejection of certificate applications, initiating certificaterevocations or suspensions under...
certificates are revoked. CRLs are no longer required by the CA/Browser forum, nevertheless, they are still widely used by the CAs. Most revocation statuses...
re-issuance of certificates authorizing intermediate CAs. A drawback to offline operation is that hosting of a certificaterevocation list by the root...
is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved...
of browsers that have up-to-date certificaterevocation lists (or OCSP support) and honour certificaterevocations.[citation needed] Although evaluating...
The different procedures for certificate application, issuance, acceptance, renewal, re-key, modification and revocation are a large part of the document...
would be to store certificates and/or certificaterevocation lists (CRL). Here's an example of how to first download a certificate, then wrap it inside...
managing public key certificates. Some elements of a CPS include documenting practices of: issuance publication archiving revocation renewal By detailing...
original on 2014-02-01. Retrieved 2013-03-15. Certificate Authorities to push for better certificate-revocation checking - Computerworld Kerner, Sean Michael...
PKIX RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) Profile RFC 5282: Using Authenticated Encryption...
because it may have been compromised. Such keys are placed on a certificaterevocation list or CRL. session key - key used for one message or an entire...
key-pair. Checking revocation status requires an "online" check; e.g., checking a certificaterevocation list or via the Online Certificate Status Protocol...
Crotone-Sant'Anna (IATA airport code: CRV) Certificaterevocation vector, an efficient format for revocation statuses Cheng rotation vane, a set of stationary...
CI+ standard allows revocation of compromised CI+ Hosts. This is done by broadcasting a Service Operator CertificateRevocation List (SOCRL) in a DSM-CC...
certificates Certificate enrollment by means of SCEP / CMP / EST Certificaterevocation by means of CRL / OCSP A secure distribution mechanism based on...
that provides a service used to verify the validity or revocation status of a digital certificate per the mechanisms described in the X.509 standard and...
revoke certificates so other users will not trust them. Revoked certificates are usually put in certificaterevocation lists which any certificate can be...
Formats RFC 8209 - A Profile for BGPsec Router Certificates, CertificateRevocation Lists, and Certification Requests Autonomous system (Internet) Border...
owned and that Omidyar only invests in the media firm. Despite the certificaterevocation, SEC stated that Rappler could still operate since their decision...
Validation certificates do not require issuing certificate authorities to immediately support Online Certificate Status Protocol for revocation checking...