Skip to main content
SpringerLink
Log in

A Response to “Can We Eliminate Certificate Revocation Lists?”

  • Conference paper
  • First Online:
Financial Cryptography (FC 2000)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1962))

Included in the following conference series:

Abstract

The massive growth of electronic commerce on the Internet heightens concerns over the lack of meaningful certificate management. One issue limiting the availability of such services is the absence of scalable certificate revocation. The use of certificate revocation lists (CRLs) to convey revocation state in public key infrastructures has long been the subject of debate. Centrally, opponents of the technology attribute a range of semantic and technical limitations to CRLs. In this paper, we consider arguments advising against the use of CRLs made principally by Rivest in his paper “Can we eliminate certificate revocation lists?” [1]. Specifically, the assumptions and environments on which these arguments are based are separated from those features inherent to CRLs. We analyze the requirements and potential solutions for three distinct PKI environments. The fundamental tradeoffs between revocation technologies are identified. Prom the case study analysis we show how, in some environments, CRLs are the most efficient vehicle for distributing revocation state. The lessons learned from our case studies are applied to a realistic PKI environment. The result, revocation on demand, is a CRL based mechanism providing timely revocation information.

This work was completed at AT&T Labs in Florham Park, NJ as part of the AT&T summer internship program.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ronald L. Rivest. Can We Eliminate Certificate Revocation Lists? In Rafael Hirschfeld, ed., Financial Cryptography FC’ 98, volume 1465, pages 178–183, Anguilla, British West Indies, February 1998. Springer.

    Google Scholar 

  2. J. Millen and R. Wright. Certificate Revocation the Responsible Way. In Post-Proceedings of Computer Security, Dependability, and Assurance: From Needs to Solutions, volume ix, pages 196–203. IEEE, 1999.

    Article  Google Scholar 

  3. B. Fox and B. LaMacchia. Online Certificate Status Checking in Financial Transactions: The Case for Re-issuance. In Rafael Hirschfeld, ed., Financial Cryptography FC’ 99, volume 1648, pages 104–117, Anguilla, British West Indies, February 1999. Springer.

    Google Scholar 

  4. M. Myers. Revocation: Options and Challenges. In Rafael Hirschfeld, ed., Financial Cryptography FC’ 98, volume 1465, pages 165–171, Anguilla, British West Indies, February 1998. Springer.

    Google Scholar 

  5. S. Kent. Internet Privacy Enhanced Mail. Communications of the ACM, 36(8):48–60, August 1993.

    Article  Google Scholar 

  6. R. Housley, W. Ford, W. Polk, and D. Solo. RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile. Internet Engineering Task Force, January 1999.

    Google Scholar 

  7. D. Chadwick and A. Young. Merging and Extending the PGP and PEM Trust Models-The ICE-TEL Trust Model. IEEE Network, 11(3):16–24, May/June 1997.

    Article  Google Scholar 

  8. P. McDaniel and S. Jamin. A Scalable Key Distribution Hierarchy.Technical Report CSE-TR-366-98, Electrical Engineering and Computer Science, University of Michigan, July 1998.

    Google Scholar 

  9. C. Adams and R. Zuccherato. A General, Flexible Approach to Certificate Revocation, June 1998. http://www.entrust.com/securityzone/whitepapers.htm.

  10. P. Kocher. On Certificate Revocation and Validation. In Rafael Hirschfeld, ed., Financial Cryptography FC’ 98, volume 1465, pages 172–177, Anguilla, British West Indies, February 1998. Springer.

    Google Scholar 

  11. P. McDaniel and S. Jamin. Windowed Certificate Revocation. In Proceedings of IEEE Infocom 2000. IEEE, March 2000. Tel Aviv, Israel, (to appear).

    Google Scholar 

  12. P. Hallam-Baker and W. Ford. Internet X.509 Public Key Infrastructure-ENHANCED CRL DISTRIBUTION OPTIONS. Internet Engineering Task Force, August 1998. (draft, expired) draft-ietf-pkix-ocdp-01.txt.

    Google Scholar 

  13. S. Micali. Efficient Certificate Revocation. Technical Report Technical Memo MIT/LCS/TM-542b, Massachusetts Institute of Technology, 1996.

    Google Scholar 

  14. M. Noar and K. Nassim. Certificate Revocation and Certificate Update. In Proceedings of the 7th USENIX Security Symposium, pages 217–228, January 1998.

    Google Scholar 

  15. M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP. Internet Engineering Task Force, June 1999.

    Google Scholar 

  16. J. Galvin. Public Key Distribution with Secure DNS. In Proceedings of the 6th USENIX Security Symposium, pages 161–170, July 1996.

    Google Scholar 

  17. D. Eastlake and C. Kaufman. RFC 2065, Domain Name System Security Extensions. Internet Engineering Task Force, January 1997.

    Google Scholar 

  18. R. Rivest and B. Lampson. SDSI A Simple Distributed Security Infrastructure, October 1996. http://theory.lcs.mit.edu/fivest/sdsill.html.

  19. B. C. Neuman and T. Ts’o. Kerberos: An Authentication Service for Computer Networks. IEEE Communications, 32(9):33–38, September 1994.

    Article  Google Scholar 

  20. C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. RFC 2693, SPKI Certificate Theory. Internet Engineering Task Force, September 1999.

    Google Scholar 

  21. C. Adams and S. Farrell. RFC 2510, X.509 Internet Public Key Infrastructure Certificate Management Protocols. Internet Engineering Task Force, March 1999.

    Google Scholar 

  22. B. Fox and B. LaMacchia. Certificate Revocation: Mechanics and Meaning. In Rafael Hirschfeld, ed., Financial Cryptography FC’ 98, volume 1465, pages 158–164, Anguilla, British West Indies, February 1998. Springer.

    Google Scholar 

  23. T. Dierks and C. Allen. RFC 2246, The TLS Protocol Version 1.0. Internet Engineering Task Force, January 1999.

    Google Scholar 

  24. D. Kahn. The Codebreakers. Macmillan Publishing Co., 1967.

    Google Scholar 

  25. R. Wilhelm. Publish and Subscribe with User Specified Action. In Patterns Workshop, OOPSLA’ 93, 1993.

    Google Scholar 

  26. S. McCanne, V. Jacobson, and M. Vetterli. Receiver Driven Layered Multicast. In Proceedings of ACM SIGCOMM’ 96, pages 117–130. Association of Computing Machinery, September 1996.

    Google Scholar 

  27. P. Zimmermann. PGP User’s Guide. Distributed by the Massachusetts Instituteof Technology, May 1994.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. EECS Department, University of Michigan, Ann Arbor, USA

    Patrick McDaniel

  2. AT&T Labs, Research Florham Park, NJ, USA

    Aviel Rubin

Authors
  1. Patrick McDaniel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aviel Rubin
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. 122 Harrison Ave, Westfield, 07090, NJ, USA

    Yair Frankel

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

McDaniel, P., Rubin, A. (2001). A Response to “Can We Eliminate Certificate Revocation Lists?”. In: Frankel, Y. (eds) Financial Cryptography. FC 2000. Lecture Notes in Computer Science, vol 1962. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45472-1_17

Download citation

  • DOI: https://doi.org/10.1007/3-540-45472-1_17

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-42700-1

  • Online ISBN: 978-3-540-45472-4

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation