Certificate revocation means taking away the certificate or replacing it before the certificate expiration ends. This happens due to many circumstance. For example see the below example, here the certificate is revoked because the site got hacked and the attacker retrieves server’s certificate and its corresponding RSA private key which is extremely dangerous as he now have the access to modiy anything on that website and server. He can read all the packets as he has the private key to decipher the communication.

So to avoid the above 5 & 6 scenarion , Certificate Revocation List comes into play , it is nothing but a list of serial numbers and dates of all the previously revoked certificate. So we can match and verify our currently using certificate serial number and if it matches this list then we might be in trouble , if not then we are using the legitimate certificate.

REVOKING CERTIFICATES

• There are a veriety of reasons digital certificates may need to be revoked prior to their expiration dates which is shown in the below graph.

• Clients that receive server certificates need to know if that certificate has been revoked in order to detect spoofed websites.

METHODS FOR REVOCATION CHECKS

1. CRL - Certificate Revocation Lists
2. CRLSets
3. OCSP - Online Certificate Status Protocol
   • OCSP with Soft-Fail
   • OCSP Stapling
   • Must-Staple Extension.

• CRL = A list of the serial numbers of unexpired security certificates which have been revoked b their issuer and should no longer be trusted. Each CA maintains their own CRL. CA provides pointer to CRLs within certificates they generate.

• But the problem using CRL is that ,
  • CRLs have become very long over time ( up to 28MB size )
  • Reaching a CRL requires reachability to the CA from the web client.
  • May slow down the TLS transaction.