Certificate Revocation is used within PKI (Public Key Infrastructure) to instruct the client that the certificate can no longer be trusted.

Revocation Methods

CRL

CRL (Certificate Revocation Lists) contains a list of certificate serial numbers that have been revoked by the CA. Always the client then checks the serial number from the certificate against the serial numbers within the list.

Revoked Certificates
Serial Number: 2122723EAAF2BEC56980067579A0A7705
Revocation Date: May 2 19:56:10 2013 GMT
Serial Number: 776DDD15D25C7DFNKQPNML4A8EACFB4A1
Revocation Date: May 22 13:03:16 2013 GMT

 

To instruct the client on where to find the CRL, a CRL distribution point is embedded within each certificate (shown below),

X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:D1:6D:2E:7C:5C:AD:14:FC:2A:72:92:C2:82:CB:B9:6E:DC:A5:C4:02
X509v3 Subject Key Identifier:
35:42:17:CF:F0:9A:FF:B7:9F:FC:C5:A4:95:D6:68:4F:97:81:1E:1D
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.43
CPS: https://cps.trust-provider.com
Policy: 2.23.140.1.2.2

X509v3 CRL Distribution Points:
URI:http://crl.trust-provider.com/McAfeeOVSSLCA.crl

Disadvantages

The main disadvantages to CRL are :

  • Can create a large amount of overhead, as the client has to search through the revocation list. In some cases this can be 1000’s of lines long.
  • CRLs are updated periodically every 5-14 days. Potentially leaving the attack surface open until the next CRL update.
  • The CRL is not checked for OV(Organization Validation) or DV(Domain Validation) based certificates.
  • If the client is unable to download the CRL then by default the client will trust the certificate.

 

OCSP

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).[2] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The “request/response” nature of these messages leads to OCSP servers being termed OCSP responders.

 

 

OCSP response sample shown below

Response verify OK
0x25F5V12D5E6FD0BD4EAF2A2C966F3B4aE: good
This Update: Jan 19 00:24:56 2011 GMT
Next Update: Jan 26 00:24:56 2011 GMT

 

The main advantage to OCSP is that because the client can query the status of a single certificate

The main disadvantages with OCSP Stapling are,

Only supported within TLS 1.2.
It is still not supported by many browsers . This results in either the OCSP validity method not being used or standard OCSP being used instead.

 

Configuration OCSP is shown in next article.

© 2018, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points
Categories: Security

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

0 Comments

Leave a Reply

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.