A Response to ''Can We Eliminate Certificate Revocation Lists?''
نویسندگان
چکیده
The use of certi cate revocation lists (CRLs) to convey revocation state in public key infrastructures has long been the subject of debate. Centrally, opponents of the technology attribute a range of semantic and technical limitations to CRLs. In this paper, we consider arguments advising against the use of CRLs made principally by Rivest in his paper \Can we eliminate certi cate revocation lists?" [Riv98]. Specifically, the assumptions and environments on which these arguments are based are separated from those features inherent to CRLs. We analyze the requirements and potential solutions for three distinct PKI environments. The fundamental tradeo s between revocation technologies are identi ed. From the case study analysis we show how, in some environments, CRLs are the most eÆcient vehicle for distributing revocation state. The lessons learned from our case studies are applied to a realistic PKI environment. The result, revocation on demand, is a CRL based mechanism providing timely revocation information.
منابع مشابه
Can We Eliminate Certificate Revocations Lists?
We briefly consider certificate revocation lists (CRLs), and ask whether they could, and should, be eliminated, in favor of other mechanisms. In most cases, the answer seems to be “yes.” We suggest some possible replacement mechanisms.
متن کاملCertificate Revocation Lists or Online Mechanisms1
With more and more acceptance of Digital Certificates and Public Key Infrastructures (PKI), the mechanisms to revoke a certificate in a PKI have recently received increasing attention. The revocation mechanisms are commonly classified into Certificate Revocation Lists (CRLs), trusted dictionaries and online mechanisms. The designer of a PKI should select an appropriate revocation method suiting...
متن کاملA Model to Evaluate Certificate Revocation
This paper presents a model to evaluate certificate revocation using certificate revocation lists (CRL's) of the X.509 standard. The model shows the relationship between the number of users managed by a Certificate Authorities (CA) and the size of the revocation lists, the computation power of the CA and the necessary bandwidth to access the revoked certificates.
متن کاملInstant certificate revocation and publication using WebDAV
There are several problems associated with the current ways that certificates are published and revoked. This paper discusses these problems, and then proposes a solution based on the use of WebDAV, an enhancement to the HTTP protocol. The proposed solution provides instant certificate revocation, minimizes the processing costs of the certificate issuer and relying party, and eases the administ...
متن کاملWindowed Key Revocation in Public Key Infrastructures
A fundamental problem inhibiting the wide acceptance of a Public Key Infrastructure (PKI) in the Internet is the lack of a mechanism that provides scalable certificate revocation. In this paper, we propose a novel mechanism called Windowed Revocation. In windowed revocation, certificate revocation is announced for short periods in periodic Certificate Revocation Lists (CRLs). Due to the assuran...
متن کامل