As part of its effort to promote SSL certificate best practices, the CA Security Council (CASC) has offered a couple of blogs on the importance of revocation checking, categorized in Part 1 and Part 2.

Here are my summaries of SSL certificate status checking.

What is the purpose of a CA-issued SSL certificate?

  • To bring trust to the end-user of who controls the website
  • The CA-issued SSL certificate brings encryption as well, but so do self-signed certificates; self-signed does not bring trust
  • Trust is elevated based on the verification practice used to validate the certificate applicant:
    • Domain Validation (DV) verifies the domain name is controlled by the applicant.
    • Organization Validation (OV) verifies an identity that controls the validated domain.
    • Extended Validation (EV) verifies the identity and authorization of the applicant at a higher level.

Why revoke a certificate?

  • Changes by the website owner (e.g., no longer in business, does not own domain, changed organization name)
  • Private signing key is compromised by a third party
  • CA learns that information in the certificate has changed or has been misrepresented

How is a certificate status conveyed?

  • Certificate Revocation List (CRL) – A digitally-signed file containing a list of certificates that have been revoked and have not yet expired
  • Online Certificate Status Protocol (OCSP) – A protocol in which the client requests the status for a particular certificate signed by a particular issuer, and receives a digitally-signed response containing its status
  • CRL and OCSP responses can be found at a website address included in the certificate

What could happen if you go to a risky site?

  • Loss of Private Information – An attacker controlling the risky site could capture your personal information such as your birth date or credit card number
  • Identity Theft – An attacker could capture your username and password, allowing them to impersonate you on a website
  • Financial Loss – Loss of your credit card number or username and password could mean financial loss
  • Malware Installation – An attacker could install malware on your computer to help steal other information or take over your computer for a larger attack

How do I check certificate status?

  • Certificate-status checking is done by your browser or other certificate-aware software
  • In some cases, you may need to ensure certificate-status checking is turned on. This is more likely for software using Windows XP as an operating system.
  • Browsers and applications provide dialogue boxes to turn on certificate-status checking, see below

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.