Question

1) Compare and contrast the OCSP and CRL approaches for certificate revocation.

2) What X.509 field does a browser check to determine if a received certificate is allowed to be used for the site that sends it?

3) Why do certificates have an expiration date if there are other certificate revocation mechanisms (i.e. OCSP and CRL)?

Answer 1

Answer(1) = The full form of CRL is "certificate revocation list". It contains every certificate which is revoked by CA. It have 2 parameters with certificate:

(i) Serial number, (ii) Revocation date

The full form of OCSP is "online certificate status protocol". It is also same as the CRL but it have various advantages than the CRL approach.

The OCSP is much faster than the CRL approach because if any one needs to search any revoked certificate in the list then from CRL approach it makes so difficult because in CRL we need to search as many certificates as many list have. if list having thousands of certificates then we search for every single certificate which makes it very slow and non-efficient.

But at another place in OCSP we search only that single certificate from the list, we don't need to access full list of certificates, which makes it very fast and efficient approach for our system.

Answer(2) = Every site on the internet having some certificates, in which one is X.509 certificate. X.509 certificate having some certificates like : SSL & TLS, where SSL defined "Secure Socket Layer", which means this website is secured and doesn't contain your personal details, and TLS is for "Transport Layer Security", which means the data transmission on this site is secured or encrypted by owner. Browser first checks the site certificates if it have these secure certificates then browser tells us that these sites are secured and recommend us, but if these secure certificates are missing from site then browser tells us that, "this site is not secured your data may be leak", type warnings.

Answer(3) = Certificate revocations are revoke certificate if they have any issue or if they caught stolen some informations of users, but ahead of these issues some other various things will happen with every site, Like: The owner may be changed of site, The site can be change its terms and conditions, it may be change their security policies. Every site cann't be similiar as it before some time, so we need to expire digital certificates after a specific time to secure users on internet and make sure that users uses the updated informations or updated services from any site.