article

Tradeoffs in certificate revocation schemes

Author:

Peifang ZhengAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 33, Issue 2

Pages 103 - 112

https://doi.org/10.1145/956981.956991

Published: 01 April 2003 Publication History

Abstract

Cryptographic certificates are a powerful tool for security concerned applications where the participants must be authenticated in order to access some resources or commit a transaction. However, due to various reasons, the validity of such certificates can change over time, introducing the risk of an invalid certificate being used to authenticate an entity. Various methods of mitigating this risk have been devised, known broadly as "certificate revocation" schemes. In this paper, we categorize and analyze them based on our identified characteristics. We further discuss tradeoffs among them and suggest how system designers might apply the analyses.

References

[1]

The SSL V3.0 Protocol. http://wp.netscape.com/eng/ssl3/draft302.txt.]]

[2]

ValiCert: Secure solution for paperless e-business. http://www.valicert.com.]]

[3]

Secure Hash Standard. U.S. National Institute for Standards and Technology (NIST), 1994.]]

[4]

Carlisle Adams and Robert Zuccherato. A General, Flexible Approach to Certificate Revocation, June 1998. Entrust White Paper.]]

[5]

William Aiello, Sachin Lodha, and Rafail Ostrovsky. Fast Digital Identity Revocation. In Advances in Cryptology-CRYPTO 1998, pages 137--152. LNCS 4462, 1998.]]

Digital Library

[6]

André Årnes. Public Key Certificate Revocation Schemes. PhD thesis, Norwegian University of Science and Technology, February 2000.]]

[7]

Josh Cohen Benaloh and Michael de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Signatures. Lecture Notes in Computer Science, 765:274--285, 1994.]]

[8]

Dan Boneh, Xuhua Ding, Gene Tsudik, and Chi Ming Wong. A Method for Fast Revocation of Public Key Certificates and Security Capabilites. In The 10th USENIX Security Symposium, 2001.]]

Digital Library

[9]

Ahto Buldas, Peeter Laud, and Helger Lipmaa. Accountable Certificate Management using Undeniable Attestations. In ACM Conference on Computer and Communications Security, Pages 19--24, 2000.]]

Digital Library

[10]

David Cooper. A Model of Certificate Revocation. In Fifteenth Annual Computer Security Applications Conference, pages 256--264, 1999.]]

Digital Library

[11]

David A. Cooper. A More Efficient Use of Delta-CRLs. In IEEE Symposium on Security and Privacy, pages 190--202, 2000.]]

Digital Library

[12]

Eugenio Faldella and Marco Prandini. A Novel Approach to On-Line Status Authentication of Public-Key Certificates. In 16th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA, December 2000. IEEE Computer Society.]]

Digital Library

[13]

Irene Gassko, Peter S. Gemmell, and Philip MacKenzie. Efficient and fresh certification. In Proceedings of Public Key Cryptography, pages 342--353, Jan 2000.]]

Digital Library

[14]

Michael Goodrich, Robert Tamassia, and Andrew Schwerin. Implementation of an Authenticated Dictionary with Skip Lists and Commutative Hashing.]]

[15]

R. Housley, W. Ford, W. Polk, and D. Solo. Internet X.509 Public Key Infrastructure Certificate and CRL Profile, Jan 1999. RFC 2459.]]

Digital Library

[16]

Stephen T. Kent. Internet Privacy Enhanced Mail. In Communications of the ACM, volume 36, pages 48--60, 1993.]]

Digital Library

[17]

Stephen T. Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management, Feburary 1993. RFC 1422.]]

Digital Library

[18]

Angelos D. Keromytis. STRONGMAN: a Scalable Solution to Trust Management in Networks. PhD thesis, University of Pennsylvania, 2001.]]

Digital Library

[19]

Paul Kocher. On Certificate Revocation and Validation. In International Conference on Financial Cryptography. LNCS, Springer-Verlag, 1998.]]

Digital Library

[20]

Y. Kortesniemi, T. Hasu, and J. Srs. A Revocation, Validation and Authentication Protocol for SPKI Based Delegation Systems. In Network and Distributed System Security Symposium, February 2000.]]

[21]

Patrick McDaniel and Sugih Jamin. Windowed Certificate Revocation. In INFOCOM(3), pages 1406--1414, 2000.]]

[22]

Patrick McDaniel and Aviel D. Rubin. A Response to "Can We Eliminate Certificate Revocation Lists?". In Financial Cryptography, pages 245--258, 2000.]]

Digital Library

[23]

Ralph C. Merkle. A Certified Digital Signature. In Proceedings of CRYPTO '89, pages 218--238. LNCS 435, 1990.]]

Digital Library

[24]

Silvio Micali. Enhanced Certificate Revocation. Technical report, MIT-LCS-TM-542, 1995.]]

Digital Library

[25]

Silvio Micali. Efficient Certificate Revocation. Technical report, MIT-LCS-TM-542b, March 1996.]]

Digital Library

[26]

Silvio Micali. NOVOMODO: Scalable Certificate Validation and Simplified PKI Management. In 1st Annual PKI Research Workshop - Proceeding, April 2002.]]

[27]

Michael Myers. Revocation: Options and Challenges. In Proc. Financial Cryptography '98.]]

Digital Library

[28]

Michael Myers, Rich Ankney, Ambarish Malpani, Slava Galperin, and Carlisle Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP, June 1999. RFC 2560.]]

Digital Library

[29]

Moni Naor and Kobbi Nissim. Certificate Revocation and Certificate Update. In Proceedings 7th USENIX Security Symposium (San Antonio, Texas), Jan 1998.]]

Digital Library

[30]

CCITT (Consultative Committee on International Telegraphy and Telephony). Recommendation X.509: The Directory---Authentication Framework, 1988.]]

[31]

R. Perlman and C. Kaufman. Method of Issuance and Revocation of Certificates of Authenticity Used in Public Key Networks and Other Systems. United State Patent 5,261,002, November 1993.]]

[32]

Ronald L. Rivest. Can We Eliminate Certificate Revocations Lists? In Financial Cryptography, Pages 178--183, 1998.]]

Digital Library

[33]

Petra Wohlmacher. Digital Certificates: a Survey of Revocation Methods. In Proceedings on ACM multimedia 2000 workshops, pages 111--114. ACM Press, 2000.]]

Digital Library

[34]

Rebecca N. Wright, Patrick Lincoln, and Jonathan K. Millen. Efficient Fault-tolerant Certificate Revocation. In ACM Conference on Computer and Communications Security, pages 19--24, 2000.]]

Digital Library

[35]

ITU-T Recommendation X.509. Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, August 1997.]]

Cited By

Khan SLuo FZhang ZUllah FAmin FQadri SHeyat MRuby RWang LUllah SLi MLeung VWu K(2023)A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger TechnologiesIEEE Communications Surveys & Tutorials10.1109/COMST.2023.332364025:4(2529-2568)Online publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1109/COMST.2023.3323640
Ozcelik ISkjellum A(2021)CryptoRevocate: A Cryptographic Accumulator based Distributed Certificate Revocation List2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC)10.1109/CCWC51732.2021.9376112(0865-0872)Online publication date: 27-Jan-2021
https://doi.org/10.1109/CCWC51732.2021.9376112
Ayub MKnowles PPhan BCoffman J(2020)The Cost of a Macaroon2020 IEEE Systems Security Symposium (SSS)10.1109/SSS47320.2020.9174369(1-8)Online publication date: Jul-2020
https://doi.org/10.1109/SSS47320.2020.9174369
Show More Cited By

Recommendations

Separable implicit certificate revocation
ICISC'04: Proceedings of the 7th international conference on Information Security and Cryptology

The popular certificate revocation systems such as CRL and OCSP have a common drawback that they are explicit certificate revocation; the sender must obtain the revocation status information of the receiver’s certificate, before sending an encrypted ...
Certificate-based encryption and the certificate revocation problem
EUROCRYPT'03: Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques

We introduce the notion of certificate-based encryption. In this model, a certificate - or, more generally, a signature - acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an up-...
Beacon certificate push revocation
CSAW '08: Proceedings of the 2nd ACM workshop on Computer security architectures

Authentication information is best localized. Local sources of authentication information are better able to physically identify users, provide authoritative information on them, adequately protect authentication information and infrastructure, and ato ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 33, Issue 2

April 2003

98 pages

ISSN:0146-4833

DOI:10.1145/956981

Issue’s Table of Contents

Copyright © 2003 Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 April 2003

Published in SIGCOMM-CCR Volume 33, Issue 2

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
1,473
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)1

Reflects downloads up to 02 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Khan SLuo FZhang ZUllah FAmin FQadri SHeyat MRuby RWang LUllah SLi MLeung VWu K(2023)A Survey on X.509 Public-Key Infrastructure, Certificate Revocation, and Their Modern Implementation on Blockchain and Ledger TechnologiesIEEE Communications Surveys & Tutorials10.1109/COMST.2023.332364025:4(2529-2568)Online publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1109/COMST.2023.3323640
Ozcelik ISkjellum A(2021)CryptoRevocate: A Cryptographic Accumulator based Distributed Certificate Revocation List2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC)10.1109/CCWC51732.2021.9376112(0865-0872)Online publication date: 27-Jan-2021
https://doi.org/10.1109/CCWC51732.2021.9376112
Ayub MKnowles PPhan BCoffman J(2020)The Cost of a Macaroon2020 IEEE Systems Security Symposium (SSS)10.1109/SSS47320.2020.9174369(1-8)Online publication date: Jul-2020
https://doi.org/10.1109/SSS47320.2020.9174369
Wang CHuang HYuan Y(2019)A Provably Secure Scalable Revocable Identity-Based Signature Scheme Without Bilinear PairingsSecurity with Intelligent Computing and Big-data Services10.1007/978-3-030-16946-6_47(588-597)Online publication date: 17-Apr-2019
https://doi.org/10.1007/978-3-030-16946-6_47
Annavajjala RAnand V(2017)Partition based hash tree — An efficient certificate revocation system2017 IEEE International Conference on Electro Information Technology (EIT)10.1109/EIT.2017.8053424(551-556)Online publication date: May-2017
https://doi.org/10.1109/EIT.2017.8053424
Ibrahim AMahmood BSinghal M(2016)A Secure Framework for Medical Information Exchange (MI-X) between Healthcare Providers2016 IEEE International Conference on Healthcare Informatics (ICHI)10.1109/ICHI.2016.33(234-243)Online publication date: Oct-2016
https://doi.org/10.1109/ICHI.2016.33
Ibrahim ASinghal M(2016)An abstract architecture design for medical information exchange2016 International Conference on Industrial Informatics and Computer Systems (CIICS)10.1109/ICCSII.2016.7462427(1-6)Online publication date: Mar-2016
https://doi.org/10.1109/ICCSII.2016.7462427
Baumeister TDong Y(2016)Towards secure identity management for the smart gridSecurity and Communication Networks10.1002/sec.9969:9(808-822)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1002/sec.996
Wang XBai YHu LSettle ASteinbach TBoisvert D(2015)Certification with Multiple SignaturesProceedings of the 4th Annual ACM Conference on Research in Information Technology10.1145/2808062.2808068(13-18)Online publication date: 29-Sep-2015
https://dl.acm.org/doi/10.1145/2808062.2808068
Akkaya KRabieh KMahmoud MTonyali S(2015)Customized Certificate Revocation Lists for IEEE 802.11s-Based Smart Grid AMI NetworksIEEE Transactions on Smart Grid10.1109/TSG.2015.23901316:5(2366-2374)Online publication date: Sep-2015
https://doi.org/10.1109/TSG.2015.2390131
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents