Overview#
Certificate Revocation is a Revocation model that describes ability to revoke CertificatesA Certificate Authority can revoke any certificate it has issued. A certificate needs to be revoked if one or more of the following situations occur:
- The owner of the Certificate has changed status and no longer has the right to use the Certificate.
- The Private Key of a Certificate owner has been compromised.
- The Certificate owner doesn't want the certificate to be used anymore.
- The Private Key of the Certificate Authority that issued the certificate has been compromised.
Whenever a certificate is revoked, the Certificate Authority updates the status of the certificate in its internal database. This way, the server keeps track of all revoked certificates in its internal database and it makes the revoked list of certificates public (by publishing it to a central repository) to notify other users that the certificates in the list are no longer valid. Typically, the Certificate Authority will a method to allow possible users of the Certificate to know the status of the Certificate through one or more of the following methods:
Certificate Revocation is broken [1]#
More and more sites are obtaining certificates, vitally important documents that we need to deploy HTTPS, but we have no way of protecting ourselves when things go wrong. Revocation is broken
by Scott Helme show why.
More Information#
There might be more information for this subject on one of the following:- Automatic Certificate Management Environment
- CRLSets
- Certificate Revocation List
- Certificate Validation
- DNSChain
- Online Certificate Status Protocol
- Revocation model
- [#1] - Revocation is broken - based on information obtained 2017-10-30
