A Certificate Revocation List is a list of the certificates which were revoked by the Certificate Authority before their expiration date. A CRL is generated and published periodically often at defined intervals. Publishing of a CRL can be done immediately after the revocation of the certificate. Revocation here means that the certificate has not expired but was an active certificate and is now no more as valuable as it was.
According to the security experts, a certificate loses its credibility if it is revoked, the reason being that it does not provide the same level of protection against malicious parties and hackers. CRLs provide an idea to the web browsers and the users regarding whether the website is trustworthy or not.
Hence revocation of an SSL or TLS certificate is equivalent to not having one. CRLs provide an SSL endpoint to verify whether the certificate received is signed and authorized by a trusted Certificate Authority.
Why are Certificates Revoked?
There can be many reasons for the revocation of a certificate and the most common ones are as follows –
By the use of the Certificate Revocation List the Certificate Authority not only provides information about the validity of the certificates they also provide the previously issued date, the publishing date and the and the current status.
The value 7 is not used.
Types of Certificate Revocation Lists –
If alone Base CRL is used the user checking for revocation only needs to check/download the Base CRL for verification of the certificate revocation.
If a combination of Base and Delta CRL is used then, users checking for revocation have to download both Base and Delta CRLs for the verification of the certificate revocation.
Working of Certificate Revocation List –
When a browser is directed to a webpage that has an SSL certificate a request is generated from the browser to get access and the following steps take place for the information access –
But the CRLs should be updated regularly because if it not done then a webpage or website not listed in the CRL, the browser can get access to the webpage/website which is risky as they become vulnerable to be hacked and information loss.
Revocation Process for Certificate Revocation List –
Following steps are followed for the revocation process –
The Certificate Authority is immediately contacted for the invalidation of the provided digital certificate to prevent any loss of the valuable information of the user. The CA needs to verify whether the revocation request is coming from the website owner and then after the verification process the certificate is revoked.
Sometimes there is a delay in the revocation of the digital certificate and this can lead to serious losses for example – a customer can get his/her bank account drained due to the vulnerability of the website due to this delay in revocation of the digital certificate.
The mismanagement of CAs is not new since according to a research paper “The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PK” CA’s take an average about 5.6 months to revoke the compromised certificate making the user information an easy and vulnerable target for malicious hackers.
Problems in Revocation –
The certificate revocation is often inaccessible to the user, the reasons being –
There can be a series of problems if a certificate is revoked mistakenly. So one must be careful with this.