Challenges and Misconceptions of Certificate Revocation in PKI

Public Key Infrastructure is the most commonly used technology in security space for the purpose of establishing Authentication, Data Integrity, Non-Repudiation, email encryption, SSL/TLS with X.509 Certificates (also known as Digital Certificate). Digital Certificate is a form of a digital identity document in the digital world and helps identify users, entities and servers.

PKI is an amalgamation of a suite of protocols, people, processes and technologies that must work in a synchronized manner to create, store, distribute, manage and revoke digital identities. However, there exists real world challenges, pitfalls and misconceptions around Certificate Status validation in the PKI technology space that need to be highlighted.

Misconceptions about Certificate Revocation

  1. Revocation of digital certificates is for expired certificates

This is the most commonly misunderstood concept. Revocation is only for valid certificates that have to be revoked prior to their expiry for various reasons.

  1. Revocation of digital certificates is not needed for unused certificates

Many certificate owners assume that “unused certificates” are not worthy enough for revocation. However, unused certificates are the riskiest to be exploited, hence unused certificates must be revoked without any delays by certificate owners. Certificate owners can exercise “Exception” to this approach only for short-lived certificates whose validity is less than 90 days as a general principle subject to the risk appetite & business requirements of their organization.

  1. Revocation of digital certificates is seldom a real-time aspect

Another major misconception about Certificate Revocation is that it is “automatic” and “immediate.” In fact, it is neither automatic, as it is based on the certificate owner’s initiative to call for revocation, nor immediate, since the Certificate Authority (CA) must follow certain mandatory steps to revoke a certificate. This consumes procedural time, before the CA can publish the new Certificate Revocation List (CRL) and all the consumers can download the CRLs again or refresh their Online Certificate Status Protocol (OCSP) cache again to avoid stale status information. Read More

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.