Security WatchPKI Enhancements in Windows
CRLs have long been used to provide validity checking for certificates. These CRLs include the serial numbers of all certificates whose validity period has not yet expired but that should no longer be trusted. For example, if an employee has a certificate with an expiration date of 12/31/2008 but the employee leaves the organization in 9/1/2007, the serial numbers of their certificates would be placed on the CRL. Then the CRL would be made available at multiple CRL Distribution Points (CDPs), such as HTTP and Lightweight Directory Access Protocol (LDAP) paths.
While still in widespread use, CRLs present a problem for large organizations, CRLs can grow to very large sizes (sometimes over 100MB). Distributing these files across a large, widely dispersed network can be difficult or impossible, particularly in branch office scenarios or other environments with constrained bandwidth. This issued is described in RFC 5019 (http://www.rfc-editor.org/rfc/rfc5019.txt) and addressed starting with Windows Vista and Windows Server 2008. An OCSP client runs on the machine that needs to check the validity of a leaf certificate. The client software then references an OCSP responder and sends a message asking for the validity status of the leaf certificate. The responder checks the validity of the certificate and responds back to the client. This approach prevents the client from having to download and cache a very large CRL.
John Morello has been with Microsoft since 2000. As a Senior Consultant, he designed security solutions for Fortune 100 enterprises and Federal civilian and defense clients. He's currently a Senior Program Manager in the Windows Server division working on security and anywhere access technologies. You can read his team's blog at blogs.technet.com/WinCAT.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.