Certificate Revocation (CRL vs OCSP)
Certificate Revocation is used within PKI (Public Key Infrastructure) to instruct the client that the certificate can no longer be trusted. This is required in scenarios where the private key has been compromised.
Prior to a CA issuing a certificate to a company the CA performs a level of validation on the authenticity that the company are who they say they are. There are 3 levels of validation ranging from DV (lowest) level all the way up to EV (highest).
Domain Validation (DV) - This type of certificate is the least expensive of the 3. It requires a basic form of domain validation to be performed. Validation is performed by email.
Organization Validation (OV) - When obtaining an OV certificate the company name is checked against a company register, i.e Chamber of Commerce.
Extended Validation (EV) - Like OV a company search is performed, however the physical location is also checked and the contact who requested the certificate is also validated.
CRL (Certificate Revocation) was first released to provide the CA with the ability to revoke certificates., however due to limitations with this method it was superseded by OCSP.
Below details each of these methods along with their main advantages and disadvantages.
CRL (Certificate Revocation Lists) contains a list of certificate serial numbers that have been revoked by the CA. The client then checks the serial number from the certificate against the serial numbers within the list (sample shown below).
Serial Number: 2572757EAAF2BEC5980067579A0A7705
Revocation Date: May 1 19:56:10 2013 GMT
Serial Number: 776DDD15D25C713616E7D4A8EACFB4A1
Revocation Date: May 24 13:03:16 2013 GMT
To instruct the client on where to find the CRL, a CRL distribution point is embedded within each certificate (shown below),
X509v3 Authority Key Identifier:
keyid:D1:6D:2E:7C:5C:AD:14:FC:2A:72:92:C2:82:CB:B9:6E:DC:A5:C4:02 X509v3 Subject Key Identifier:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
X509v3 CRL Distribution Points:
The main disadvantages to CRL are :
- Can create a large amount of overhead, as the client has to search through the revocation list. In some cases this can be 1000's of lines long.
- CRLs are updated periodically every 5-14 days. Potentially leaving the attack surface open until the next CRL update.
- The CRL is not checked for OV or DV based certificates.
- If the client is unable to download the CRL then by default the client will trust the certificate.
OCSP (Online Certificate Status Protocol) removes many of the disadvantages of CRL by allowing the client to check the certificate status for a single certificate.
The OCSP process in shown below,
- Client receives certificate.
- Client sends OCSP Request to a OCSP Responder (over HTTP) with the certificates serial number.
- OCSP Responder replies with a certificate status of either Good, Revoked or Unknown (shown below)
Response verify OK 0x25F5V12D5E6FD0BD4EAF2A2C966F3B4aE: good This Update: Jan 19 00:24:56 2011 GMT Next Update: Jan 26 00:24:56 2011 GMT
The main advantage to OCSP is that because the client can query the status of a single certificate, rather then having to download and parse an entire list there is much less overhead on the client and network.
However the main disadvantages to OCSP are,
- OCSP Requests are sent for each certificate. Because of this there can be a huge over head on the OCSP Responder (i.e the CA) for high traffic websites.
- If the private key was comprised the attacker would need to leverage a MITM attack to intercept and pose as the server. Because most browsers slienty ignore OCSP if the protocol times out OCSP can still not be considered a 100% reliable method for mitigating HTTPS server key comprises.
- The OCSP is not enforced for OV or DV based certificates. Checked for EV certificates.
OCSP Stapling resolves the overhead issues with OCSP and CRL by having the certificate holder (i.e the server) periodically performing the OCSP Request. The OCSP Response is then sent back to the client (i.e stapled) during the SSL handshake.
NOTE The OCSP Response is signed by the CA to ensure that it has not been modified before being sent back to the client.
The main disadvantages with OCSP Stapling are,
- Only supported within TLS 1.2.
- It is still not supported by many browsers . This results in either the OCSP validity method not being used or standard OCSP being used instead.
- OCSP Stapling
- Certificate Types / Browser Functionality