Page 446 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 446
Occasionally, a certificate authority needs to revoke a certificate. This
might occur for one of the following reasons:
The certificate was compromised (for example, the certificate
owner accidentally gave away the private key).
The certificate was erroneously issued (for example, the CA
mistakenly issued a certificate without proper verification).
The details of the certificate changed (for example, the subject’s
name changed).
The security association changed (for example, the subject is no
longer employed by the organization sponsoring the certificate).
The revocation request grace period is the maximum
response time within which a CA will perform any requested
revocation. This is defined in the Certificate Practice Statement
(CPS). The CPS states the practices a CA employs when issuing or
managing certificates.
You can use two techniques to verify the authenticity of certificates
and identify revoked certificates:
Certificate Revocation Lists Certificate revocation lists (CRLs) are
maintained by the various certificate authorities and contain the serial
numbers of certificates that have been issued by a CA and have been
revoked along with the date and time the revocation went into effect.
The major disadvantage to certificate revocation lists is that they must
be downloaded and cross-referenced periodically, introducing a period
of latency between the time a certificate is revoked and the time end
users are notified of the revocation. However, CRLs remain the most
common method of checking certificate status in use today.
Online Certificate Status Protocol (OCSP) This protocol
eliminates the latency inherent in the use of certificate revocation lists
by providing a means for real-time certificate verification. When a
client receives a certificate, it sends an OCSP request to the CA’s OCSP
