Revocation of X.509 Certificates
2 days ago
- #Certificate Revocation
- #Internet Security
- #PKI
- The article revisits certificate revocation in the context of recent changes by the CAB Forum and Let's Encrypt, highlighting its evolving challenges.
- X.509 certificates underpin PKI for trusted communications but have long validity periods (e.g., 90 days for Let's Encrypt, now moving to 45 days), making timely revocation critical for security.
- Revocation mechanisms like CRLs are inefficient due to large sizes and delays, while OCSP introduces privacy issues, performance overhead, and availability concerns, leading to inconsistent browser support.
- Stapled OCSP offloads revocation checks to servers but still suffers from lag, and Chrome's approach uses trimmed CRLsets, highlighting fragmentation in revocation implementation.
- Short-lived certificates reduce the need for revocation but don't fully address real-time security demands; alternative approaches like DANE/DNSSEC offer faster, more scalable solutions.
- Current revocation methods are inadequate for modern threats, with browsers often failing to detect revoked certificates, underscoring the need for infrastructure overhaul.