TY - JOUR
T1 - Certificate revocation and certificate update
AU - Naor, Moni
AU - Nissim, Kobbi
N1 - Funding Information:
Manuscript received February 1, 1999; revised October 3, 1999. The work of M. Naor was supported by BSF under Grant 94-00032. A preliminary version of this paper appeared in Proc. 7th USENIX Security Symposium, 1998. The authors are with the Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot 76100, Israel (e-mail: {naor; kobbi}@wisdom.weismann.ac.il). Publisher Item Identifier S 0733-8716(00)01522-5.
PY - 2000/4/1
Y1 - 2000/4/1
N2 - We present a solution for the problem of certificate revocation. This solution represents certificate revocation lists by authenticated dictionaries that support: 1) efficient verification whether a certificate is in the list or not and 2) efficient updates (adding/removing certificates from the list). The suggested solution gains in scalability, communication costs, robustness to parameter changes, and update rate. Comparisons to the following solutions (and variants) are included: `traditional' certificate revocation lists (CRL's), Micali's certificate revocation system (CRS), and Kocher's certificate revocation trees (CRT). We also consider a scenario in which certificates are not revoked, but frequently issued for short-term periods. Based on the authenticated dictionary scheme, a certificate update scheme is presented in which all certificates are updated by a common message. The suggested solutions for certificate revocation and certificate update problems are better than current solutions with respect to communication costs, update rate, and robustness to changes in parameters, and are compatible, e.g., with X.500 certificates.
AB - We present a solution for the problem of certificate revocation. This solution represents certificate revocation lists by authenticated dictionaries that support: 1) efficient verification whether a certificate is in the list or not and 2) efficient updates (adding/removing certificates from the list). The suggested solution gains in scalability, communication costs, robustness to parameter changes, and update rate. Comparisons to the following solutions (and variants) are included: `traditional' certificate revocation lists (CRL's), Micali's certificate revocation system (CRS), and Kocher's certificate revocation trees (CRT). We also consider a scenario in which certificates are not revoked, but frequently issued for short-term periods. Based on the authenticated dictionary scheme, a certificate update scheme is presented in which all certificates are updated by a common message. The suggested solutions for certificate revocation and certificate update problems are better than current solutions with respect to communication costs, update rate, and robustness to changes in parameters, and are compatible, e.g., with X.500 certificates.
UR - http://www.scopus.com/inward/record.url?scp=0033733822&partnerID=8YFLogxK
U2 - 10.1109/49.839932
DO - 10.1109/49.839932
M3 - Article
AN - SCOPUS:0033733822
SN - 0733-8716
VL - 18
SP - 561
EP - 570
JO - IEEE Journal on Selected Areas in Communications
JF - IEEE Journal on Selected Areas in Communications
IS - 4
ER -