Abstract
PKI has a history of very poor support for revocation. It is both too expensive and too coarse grained, so that private keys which are compromised or otherwise become invalid remain in use long after they should have been revoked. This paper considers Instant Revocation, or revocations which take place within a second or two.
A new revocation scheme, Certificate Push Revocation (CPR) is described which can support instant revocation. CPR can be hundreds to thousands of times more Internet-bandwidth efficient than traditional and widely deployed schemes. It also achieves significant improvements in cryptographic overheads. Its costs are essentially independent of the number of queries, encouraging widespread use of PKI authentication.
Although explored in the context of instant revocation, CPR is even more efficient—both in relative and absolute terms—when used with coarser grain (non-instant) revocations.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Chadwick, D.W., Anthony, S.: Using webDAV for improved certificate revocation and publication. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 265–279. Springer, Heidelberg (2007)
Fox, A., Brewer, E.A.: Harvest, yield and scalable tolerant systems. In: Workshop on Hot Topics in Operating Systems, pp. 174–178 (1999)
Gilbert, S., Lynch, N.: Brewer’s conjecture and the feasibility of consistent, available, partition-tolerant web services. SIGACT News 33(2), 51–59 (2002)
Goyal, V.: Certificate revocation using fine grained certificate space patitioning. In: Financial Cryptography and Data Security Conference (2007)
Gutmann, P.: PKI: It’s not dead, just resting. IEEE Computer 35(8), 41–49 (2002)
Gutmann, P.: Drawing lessons. In: 3rd PKI workshop (2004)
Iliadis, J., Gritzalis, S., Spinellis, D., Cock, D.D., Preneel, B., Gritzalis, D.: Towards a framework for evaluating certificate status information mechanisms. Computer Communications 26(16), 1839–1850 (2003)
Iliadis, J., Spinellis, D., Gritzalis, D., Preneel, B., Katsikas, S.: Evaluating certificate status information mechanisms. In: CCS 2000: Proceedings of the 7th ACM conference on Computer and communications security, pp. 1–8. ACM, New York (2000)
Kocher, P.C.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)
Koga, S., Sakurai, K.: Proposal and analysis of a distributed online certificate status protocol with low communication cost. IEICE Transactions 88-A(1), 247–254 (2005)
Lamport, L.: Password authentification with insecure communication. Commun. ACM 24(11), 770–772 (1981)
Lopez, J., Mana, A., Montenegro, J.A., Ortega, J.J.: PKI design based on the use of on-line certification authorities. Int. J. Inf. Sec. 2(2), 91–102 (2004)
Merkle, R.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)
Micali, S.: Efficient certificate revocation. Technical report, Massachusetts Institute of Technology, Cambridge, MA, USA (1996)
Micali, S.: Efficient certificate revocation. In: Proceedings of the RSA Data Security Conference (1997)
Micali, S.: NOVOMODO: Scalable certificate validation and simplified PKI management. In: 1st PKI Workshop (2002)
Mills, D.L.: Network Time Protocol (version 3) specification, implementation and analysis. Internet Request for Comment RFC 1305, Internet Engineering Task Force (March 1992)
Online certificate status protocol, version 2. Working document of the Internet Engineering Task Force (IETF)
Radhakrishnan, M., Solworth, J.A.: Netauth: Supporting user-based network services. In: Usenix Security (2008)
Rivest, R.L.: Can we eliminate certificate revocations lists? In: Financial Cryptography, pp. 178–183 (1998)
Russell, S., Dawson, E., Okamoto, E., Lopez, J.: Virtual certificates and synthetic certificates: new paradigms for improving public key validation. Computer Communications 26(16), 1826–1838 (2003)
Solworth, J.A.: What can you say? and what does it mean? In: Workshop on Trusted Collaboration, IEEE, Los Alamitos (2006)
Stubblebine, S.: Recent-secure authentication: Enforcing revocation in distributed systems. In: Proceedings 1995 IEEE Symposium on Research in Security and Privacy, May 1995, pp. 224–234 (1995)
Vanrenen, G., Smith, S.W., Marchesini, J.: Distributing security-mediated PKI. Int. J. Inf. Sec 5(1), 3–17 (2006)
Yang, J.-P., Sakurai, K., Rhee, K.H.: Distributing security-mediated PKI revisited. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 31–44. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Solworth, J.A. (2008). Instant Revocation. In: Mjølsnes, S.F., Mauw, S., Katsikas, S.K. (eds) Public Key Infrastructure. EuroPKI 2008. Lecture Notes in Computer Science, vol 5057. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69485-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-69485-4_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69484-7
Online ISBN: 978-3-540-69485-4
eBook Packages: Computer ScienceComputer Science (R0)