LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How is a certificate revoked before its expiry, and how do clients learn about revocations?

A revocation marks a certificate as invalid before its expiry date — usually because the private key was compromised, the subject left the org, or details changed. Clients check via CRL (Certificate Revocation List) downloads or OCSP (Online Certificate Status Protocol) live queries.

Reasons for revocation:

  • Private key was compromised / stolen.
  • Certificate holder left the organisation.
  • Information in the certificate changed (rename, role change).
  • CA itself was compromised (revoke everything they issued — disaster).

The two distribution mechanisms:

CRL OCSP
What it is Big list of revoked serial numbers, signed by CA Per-cert live query: "is this still valid?"
Update freshness Periodic (hours to days) Real-time
Client cost Download list once, cache One query per cert validation
Privacy Good — local lookup Bad — CA learns every site you visit (mitigated by OCSP stapling)
Protocol HTTP download HTTP(S) query

OCSP stapling (RFC 6066) — the server pre-fetches the OCSP response and "staples" it to the TLS handshake, so the client doesn't have to query the CA itself. Solves the privacy problem and reduces handshake latency. Modern servers should have it enabled.

The revocation problem in practice: browsers historically did poor revocation checking ("soft-fail"). If the CRL or OCSP server is unreachable, most browsers just accept the certificate anyway — which means an attacker who blocks revocation traffic can effectively bypass the system. Modern fixes include must-staple certificate extension, CRLSets (Chrome's curated revocation list), and short certificate lifetimes (Let's Encrypt = 90 days), making revocation almost unnecessary.

Tip: Why must a revocation request itself be carefully verified? Because if anyone could revoke a competitor's cert, you'd have a DoS attack on demand. Revocation requests must prove ownership (proof-of-possession of the private key, or identity check at the RA).

From Quiz: ISF / Asymmetric Cryptography | Updated: Jul 14, 2026