7th USENIX Security Symposium, San Antonio, Texas
Certificate Revocation and Certificate Update
Moni Naor and Kobbi Nissim
Weizmann Institute of Science
A new solution is suggested for the problem of certificate revocation.
This solution represents Certificate Revocation Lists by an authenticated
search data structure.
The process of verifying whether a certificate is in the list or not, as
well as updating the list, is made very efficient.
The suggested solution gains in scalability, communication costs,
robustness to parameter changes and update rate.
Comparisons to the following solutions are included:
`traditional' CRLs (Certificate Revocation Lists),
Micali's Certificate Revocation System (CRS) and
Kocher's Certificate Revocation Trees (CRT).
Finally, a scenario in which certificates are not revoked,
but frequently issued for short-term periods is considered.
Based on the authenticated search data structure scheme,
a certificate update scheme is presented
in which all certificates are updated by a common message.
The suggested solutions for certificate revocation and certificate update
problems is better than current solutions with respect to communication
costs, update rate, and robustness to changes in parameters and is compatible
e.g. with X.500 certificates.
- View the full text of this paper in
HTML form and
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.