A. Lakshminarayanan
Abstract
PKI based applications use digitally signed certificates to bind public keys to user identities. Some digital certificates need to be revoked before their scheduled expiry. Certificate revocation is an important yet burdensome aspect of PKI. In this paper, we present the augmented CRL scheme, a simple yet novel extension to delta-CRLs. Using this scheme, certificate verifying clients need not download base CRLs yet can construct the same using augmented CRLs. We exploit the similarity between X.509 base and delta-CRL data structures. We show that the augmented CRL scheme provides significant bandwidth savings compared to existing CRL based schemes. The amount of downloaded CRL data is also much less compared to earlier schemes. Our scheme is simple, scalable and can easily be integrated into existing CRL based revocation schemes.