Skip to content

Commit eef70d4

Browse files
drbruced12drbruced12
committed
more on revocation
1 parent 41cd3bc commit eef70d4

File tree

1 file changed

+22
-13
lines changed

1 file changed

+22
-13
lines changed

key-distro.rst

Lines changed: 22 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -287,19 +287,28 @@ that a revoked certificate needs to stay on a CRL. As soon as its
287287
original expiration date is passed, it can be removed from the CRL.
288288

289289
In practice, certificate revocation has proven to be challenging. CRLs
290-
can become very long, so retrieving them becomes costly. The time to
291-
retrieve a CRL may fall in the critical path for opening a
292-
connection to a web site, increasing the time to load a
293-
page substantially. A determined attacker who has compromised a
294-
private key is motivated to disrupt the distribution of the CRL to
295-
prolong the amount of time they can use the compromised key. A number
296-
of proposals have been made to improve the effectiveness of
297-
certificate revocation, such as using bit vectors or other compact
298-
representations of the CRL to reduce its size, and the development of
299-
the Online Certification Status Protocol (OCSP) to enable real-time
300-
checks on a certificate's status. At the time of writing, there are
301-
some best practices for handling certificate revocation but no
302-
comprehensive solution.
290+
can become very long now that certificates are in widespread use, so
291+
retrieving them becomes costly. The time to retrieve a CRL may fall in
292+
the critical path for opening a connection to a web site,
293+
substantially increasing the time to load a page. A determined
294+
attacker who has compromised a private key is motivated to disrupt the
295+
distribution of the CRL to prolong the amount of time they can use the
296+
compromised key. A number of proposals have been made to improve the
297+
effectiveness of certificate revocation, such as using bit vectors or
298+
other compact representations of the CRL to reduce its size, and the
299+
development of the Online Certification Status Protocol (OCSP) to
300+
enable real-time checks on a certificate's status. At the time of
301+
writing, there are some best practices for handling certificate
302+
revocation but no comprehensive solution. A good discussion of the
303+
issues and a potential approach to more effective certificate
304+
revocation can be found in the blog post below.
305+
306+
.. admonition:: Further Reading
307+
308+
J. Schank. `CRLite: Fast, private, and comprehensive certificate
309+
revocation checking in Firefox
310+
<https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/>`__. Mozilla
311+
blog, August 2025.
303312

304313
4.2 Distribution of Secret Keys
305314
------------------------------------

0 commit comments

Comments
 (0)