Efficient offline certificate revocation

Abstract

Identity Certificates (ICs) are widely used as underlying technology for securing many protocols and applications in the Internet. A Public Key Infrastructure (PKI) is required to securely deliver these certificates to widely-distributed users or systems. An identity certificate contains credentials and statements and as any document of this kind its contents are only guaranteed for a limited amount of time. The validity period of an IC might be quite long (up to several years). However, there are circumstances under which the validity of a certificate must be terminated sooner than assigned and thus, the certificate needs to be revoked. The revocation of certificates implies one of the major scalability problems in the whole PKI. Revocation can be achieved using either an online scheme or an offline scheme. In this paper we introduce the basics of these two schemes and we dicuss their advantages and drawbacks. We show also that offline systems provide the best level of security protection. Finally, we present an efficient offline system with bandwidth requirements similar to typical online systems. © Springer-Verlag Berlin Heidelberg 2003.