Challenges and Misconceptions of Certificate Revocation in PKI

By Qamar Peer Bellary Sadiq, CISSP, CCSP

Public Key Infrastructure is the most commonly used technology in security space for the purpose of establishing Authentication, Data Integrity, Non-Repudiation, email encryption, SSL/TLS with X.509 Certificates (also known as Digital Certificate). Digital Certificate is a form of a digital identity document in the digital world and helps identify users, entities and servers.

PKI is an amalgamation of a suite of protocols, people, processes and technologies that must work in a synchronized manner to create, store, distribute, manage and revoke digital identities. However, there exists real world challenges, pitfalls and misconceptions around Certificate Status validation in the PKI technology space that need to be highlighted.

Misconceptions about Certificate Revocation

Revocation of digital certificates is for expired certificates

This is the most commonly misunderstood concept. Revocation is only for valid certificates that have to be revoked prior to their expiry for various reasons.

Revocation of digital certificates is not needed for unused certificates

Many certificate owners assume that "unused certificates" are not worthy enough for revocation. However, unused certificates are the riskiest to be exploited, hence unused certificates must be revoked without any delays by certificate owners. Certificate owners can exercise "Exception" to this approach only for short-lived certificates whose validity is less than 90 days as a general principle subject to the risk appetite & business requirements of their organization.

Revocation of digital certificates is seldom a real-time aspect

Another major misconception about Certificate Revocation is that it is “automatic” and “immediate.” In fact, it is neither automatic, as it is based on the certificate owner’s initiative to call for revocation, nor immediate, since the Certificate Authority (CA) must follow certain mandatory ..