A response to “can we eliminate certificate revocation lists?”

Patrick McDaniel, Aviel Rubin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Citations (Scopus)

Abstract

The massive growth of electronic commerce on the Internet heightens concerns over the lack of meaningful certificate management. One issue limiting the availability of such services is the absence of scalable certificate revocation. The use of certificate revocation lists (CRLs) to convey revocation state in public key infrastructures has long been the subject of debate. Centrally, opponents of the technology attribute a range of semantic and technical limitations to CRLs. In this paper, we consider arguments advising against the use of CRLs made principally by Rivest in his paper “Can we eliminate certificate revocation lists?” [1]. Specifically, the assumptions and environments on which these arguments are based are separated from those features inherent to CRLs. We analyze the requirements and potential solutions for three distinct PKI environments. The fundamental tradeoffs between revocation technologies are identified. Prom the case study analysis we show how, in some environments, CRLs are the most efficient vehicle for distributing revocation state. The lessons learned from our case studies are applied to a realistic PKI environment. The result, revocation on demand, is a CRL based mechanism providing timely revocation information.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography - 4th International Conference, FC 2000, Proceedings
EditorsYair Frankel
PublisherSpringer Verlag
Pages245-258
Number of pages14
ISBN (Print)3540427007
StatePublished - Jan 1 2001
Event4th International Conference on Financial Cryptography, FC 2000 - Anguilla, Anguilla
Duration: Feb 20 2000Feb 24 2000

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume1962
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other4th International Conference on Financial Cryptography, FC 2000
CountryAnguilla
CityAnguilla
Period2/20/002/24/00

Fingerprint

Revocation
Certificate
Eliminate
Electronic commerce
Semantics
Availability
Internet
Public Key Infrastructure
Electronic Commerce

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

McDaniel, P., & Rubin, A. (2001). A response to “can we eliminate certificate revocation lists?”. In Y. Frankel (Ed.), Financial Cryptography - 4th International Conference, FC 2000, Proceedings (pp. 245-258). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1962). Springer Verlag.
McDaniel, Patrick ; Rubin, Aviel. / A response to “can we eliminate certificate revocation lists?”. Financial Cryptography - 4th International Conference, FC 2000, Proceedings. editor / Yair Frankel. Springer Verlag, 2001. pp. 245-258 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{0f9d9409d38e4d048ae200dcd8f43b15,
title = "A response to “can we eliminate certificate revocation lists?”",
abstract = "The massive growth of electronic commerce on the Internet heightens concerns over the lack of meaningful certificate management. One issue limiting the availability of such services is the absence of scalable certificate revocation. The use of certificate revocation lists (CRLs) to convey revocation state in public key infrastructures has long been the subject of debate. Centrally, opponents of the technology attribute a range of semantic and technical limitations to CRLs. In this paper, we consider arguments advising against the use of CRLs made principally by Rivest in his paper “Can we eliminate certificate revocation lists?” [1]. Specifically, the assumptions and environments on which these arguments are based are separated from those features inherent to CRLs. We analyze the requirements and potential solutions for three distinct PKI environments. The fundamental tradeoffs between revocation technologies are identified. Prom the case study analysis we show how, in some environments, CRLs are the most efficient vehicle for distributing revocation state. The lessons learned from our case studies are applied to a realistic PKI environment. The result, revocation on demand, is a CRL based mechanism providing timely revocation information.",
author = "Patrick McDaniel and Aviel Rubin",
year = "2001",
month = "1",
day = "1",
language = "English (US)",
isbn = "3540427007",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "245--258",
editor = "Yair Frankel",
booktitle = "Financial Cryptography - 4th International Conference, FC 2000, Proceedings",
address = "Germany",

}

McDaniel, P & Rubin, A 2001, A response to “can we eliminate certificate revocation lists?”. in Y Frankel (ed.), Financial Cryptography - 4th International Conference, FC 2000, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 1962, Springer Verlag, pp. 245-258, 4th International Conference on Financial Cryptography, FC 2000, Anguilla, Anguilla, 2/20/00.

A response to “can we eliminate certificate revocation lists?”. / McDaniel, Patrick; Rubin, Aviel.

Financial Cryptography - 4th International Conference, FC 2000, Proceedings. ed. / Yair Frankel. Springer Verlag, 2001. p. 245-258 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1962).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - A response to “can we eliminate certificate revocation lists?”

AU - McDaniel, Patrick

AU - Rubin, Aviel

PY - 2001/1/1

Y1 - 2001/1/1

N2 - The massive growth of electronic commerce on the Internet heightens concerns over the lack of meaningful certificate management. One issue limiting the availability of such services is the absence of scalable certificate revocation. The use of certificate revocation lists (CRLs) to convey revocation state in public key infrastructures has long been the subject of debate. Centrally, opponents of the technology attribute a range of semantic and technical limitations to CRLs. In this paper, we consider arguments advising against the use of CRLs made principally by Rivest in his paper “Can we eliminate certificate revocation lists?” [1]. Specifically, the assumptions and environments on which these arguments are based are separated from those features inherent to CRLs. We analyze the requirements and potential solutions for three distinct PKI environments. The fundamental tradeoffs between revocation technologies are identified. Prom the case study analysis we show how, in some environments, CRLs are the most efficient vehicle for distributing revocation state. The lessons learned from our case studies are applied to a realistic PKI environment. The result, revocation on demand, is a CRL based mechanism providing timely revocation information.

AB - The massive growth of electronic commerce on the Internet heightens concerns over the lack of meaningful certificate management. One issue limiting the availability of such services is the absence of scalable certificate revocation. The use of certificate revocation lists (CRLs) to convey revocation state in public key infrastructures has long been the subject of debate. Centrally, opponents of the technology attribute a range of semantic and technical limitations to CRLs. In this paper, we consider arguments advising against the use of CRLs made principally by Rivest in his paper “Can we eliminate certificate revocation lists?” [1]. Specifically, the assumptions and environments on which these arguments are based are separated from those features inherent to CRLs. We analyze the requirements and potential solutions for three distinct PKI environments. The fundamental tradeoffs between revocation technologies are identified. Prom the case study analysis we show how, in some environments, CRLs are the most efficient vehicle for distributing revocation state. The lessons learned from our case studies are applied to a realistic PKI environment. The result, revocation on demand, is a CRL based mechanism providing timely revocation information.

UR - http://www.scopus.com/inward/record.url?scp=84944328054&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84944328054&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84944328054

SN - 3540427007

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 245

EP - 258

BT - Financial Cryptography - 4th International Conference, FC 2000, Proceedings

A2 - Frankel, Yair

PB - Springer Verlag

ER -

McDaniel P, Rubin A. A response to “can we eliminate certificate revocation lists?”. In Frankel Y, editor, Financial Cryptography - 4th International Conference, FC 2000, Proceedings. Springer Verlag. 2001. p. 245-258. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).