As part of its effort to promote SSL certificate best practices, the CA Security Council (CASC) has offered a couple of blogs on the importance of revocation checking, categorized in Part 1 and Part 2.

Here are my summaries of SSL certificate status checking.

What is the purpose of a CA-issued SSL certificate?

  • To bring trust to the end-user of who controls the website
  • The CA-issued SSL certificate brings encryption as well, but so do self-signed certificates; self-signed does not bring trust
  • Trust is elevated based on the verification practice used to validate the certificate applicant:
    • Domain Validation (DV) verifies the domain name is controlled by the applicant.
    • Organization Validation (OV) verifies an identity that controls the validated domain.
    • Extended Validation (EV) verifies the identity and authorization of the applicant at a higher level.

Why revoke a certificate?

  • Changes by the website owner (e.g., no longer in business, does not own domain, changed organization name)
  • Private signing key is compromised by a third party
  • CA learns that information in the certificate has changed or has been misrepresented

How is a certificate status conveyed?

  • Certificate Revocation List (CRL) – A digitally-signed file containing a list of certificates that have been revoked and have not yet expired
  • Online Certificate Status Protocol (OCSP) – A protocol in which the client requests the status for a particular certificate signed by a particular issuer, and receives a digitally-signed response containing its status
  • CRL and OCSP responses can be found at a website address included in the certificate

What could happen if you go to a risky site?

  • Loss of Private Information – An attacker controlling the risky site could capture your personal information such as your birth date or credit card number
  • Identity Theft – An attacker could capture your username and password, allowing them to impersonate you on a website
  • Financial Loss – Loss of your credit card number or username and password could mean financial loss
  • Malware Installation – An attacker could install malware on your computer to help steal other information or take over your computer for a larger attack

How do I check certificate status?

  • Certificate-status checking is done by your browser or other certificate-aware software
  • In some cases, you may need to ensure certificate-status checking is turned on. This is more likely for software using Windows XP as an operating system.
  • Browsers and applications provide dialogue boxes to turn on certificate-status checking, see below